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In this Issue 

In bttsiness computing, the trend \s away from centralized mainframes and 
towards client/server networks that handle the computing needs of an entire 
enterprise. The article on page 8 is aboutthe design of a new high-end HP 
corporate business server that had the objective of setting new standards for 
commercial systems performance and affordability. The destgn is based on the 
HP PA 7100 CPU chip, a superscalar implementation of HPs PA-RISC processor 
architecture operating at a clock frequency of 90 megahertz. (Superscalar means 
that a processor can issue more than one instruction — typicafly 2 to 4- per clock 
cycle. The PA 7100 can issue two instructions^one integer instruction and one 
floating-point instruction — per clock cycle.) The new corporate business server 
can have up to twelve PA 7100 processors symmetrically sharing the workload, and performance in- 
creases approximately linearly with the number of processors. The internal bus structure is new. The 
design and protocol of the processor memory bus, which interconnects the processors and the memory 
system, result in excellent online transaction processing performance and efficient multiprocessor work- 
sharing. High input/output throughput is achieved by means of high-slot-count I/O buses arranged in a 
two-level tree. Main memory capacity can be as high as 2G bytes 12,147,483,648 bytes) of error-correcting 
memory and disk storage capacity can be as high as l,9Tbytes (1,900,000,000,000 bytes). A dedicated 
servEce processor reduces the time it takes to correct hardware failures Depending on which operating 
system it runs, the new corporate business server is designated the HP 9000 Model T500 or the HP 3000 
Series 991/995. 

While the new high-end corporate business servers were being designed, another design team was 
working on making symmetric PA-RISC multiprocessing available to users of midrange HP 9000 and HP 
3000 servers. The article on page 31 discusses the design of a new processor board using two PA 7100 
chips. By making one processor the 'monarch" and the other the 'serf" and deciding that if one proces- 
sor failed the other would not continue to operate, the designers eliminated most of the complexity in 
symmetric multiprocessing and were able to provide the basic performance advantages quickly and at 
low cost The midrange servers that use this board are the HP 9000 Models G70, H70, and 170 and the 
HP 3000 Series 98Z 

The HP SoftBench Framework is widely used in the software development industry to create custom 
software development environments by integrating common software development tools such as pro- 
gram editors, builders, and debuggers, static analyzers, electronic mail, and others. SoftBench Message 
Connector (page 34) is the new user tool interaction facility of the SoftBench Framework. It allows users 
of the framework to customize their environments quickly with simple point-and-click actions. For exam- 
ple, a text editor and a spell checker can be connected so that when the user saves a file with the editor, 
the spelling is automatically checked and the user is notified only if errors are detected. Tool interaction 
branching and chaining are supported so the user can create routines that use multiple tools and exe- 
cute automatically without the user's explicitly invoking each tool. Message Connector is designed to 
require no training. 

Contrary to my initial reaction on hearing the term, cleanroom software engineering doesn't mean develop- 
ment of software for the cleanrooms used in integrated circuit manufacturing. Its a metaphor for software 
engineering that mimics the way processes and the environment are carefully controlled and monitored 
in a cleanroom to ensure that the chips produced there are free of defects. The goal is nearly defect- 
free software, whatever its function. The article on page 40 explains the cleanroom methodology and 
software fife cycle, and tells aboutthe remarkable results achieved when the methodology was applied 
in a limited way in a typical HP environment. 
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In printed circuit board manyfacturmg. automated high-speed assembly machines are used to place 
components on the boards. In a mariufacttiring facility that produces multiple products at low to medium 
volumes, the machines mustlje set up in different ways to produce different products. While tfiey ^^^ 
being set up they aren't productive, so a mafor concern is how to minimize the setup time, if the facility 
has more than one machine, another major concern is machine balancing, or how to assign products to 
the various machines most efficiently. An exact mathematical model of these problems is too complex 
too solve, so engineers at HP's Colorado Computer Manufactyring Operation resorted to fuzzy logic, a 
msihematicat tool that's becoming more widely used for dealing witfi the inexact aspects of the real 
world. Using fuzzy concepts, they developed an algorithm for assigning printed circuit boards to families 
that use similar setups, and an algorithm for assigning the families to machines. The article on page 51 
explains the problem, provides some basic fuzzy logic theory, describes the algorithms, and presents 
results. The fuzzy family assignment algorithm outperforms the greedy board algorithm, formerly the best 
available method. 

R.R Dolan 
Editor 



Cover 

The processor board designed for the new high-end HP corporate business server has up to two pro- 
cessor modules based on PA 7100 superscalar PA-RISC chips (under the circular heat sinks). The server 
can have up to twelve processors (six boards) for twelve- way symmetric multiprocessing. 



Wliat's Ahead 

Leading off the August issue will be a design article on the HP 48GX scientific graphing calcufator Other 
articles wilt describe high-speed digital transmitter characterization using eye-diagram analysis and a 
new foam-chassis packaging technology called HP-PAC From the 1393 HP Technical Women's Conference 
we'll have papers on the design of linear vascular ultrasound transducers^ on temperature control in 
supercriticaf fluid chromatography, on data-driven test systems, and on the use of structured analysis 
and structured design in the redesign of a terminal and printer driver. 
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Corporate Business Servers: An 
Alternative to Mainframes for 
Business Computing 

With expandable hardware, PA-RISC architecture, symmetric multi- 
processing, a new bus structure, and robust error handling, these systems 
provide a wide range of performance and configurability within a single 
cabinet. Standard features include one to twelve symmetric PA-RISC 7100 
multiprocessors optimized for commercial workloads, main memory 
configurations from 128IVI bytes to 2G bytes, and disk storage up to a 
maximum of 1 .9 terabytes. 

by Thomas B. Alexander, Kenneth G* Robertson, Dean T, Lindsay, Donald L. Rogers, John R. 
Obermeyer, John R. Keller, Keith Y» Oka, and Marlin M, Jones, II 



The overall fiesign objective for tlie HP 9000 Model T500 
coqinrate htisiness si^rvcr (Fig. 1) was to set new standards 
for commercial sysleins perfomiancc aiid affordabilitj; 
Combining expandable hardware, PA-EISC architectuie, 
synmietric multiprocessing wiLli up to 12 processors, a new 
bus design, robust error haiKiling, and the HP-UX* operating 
system, the Moriei T500 delivers a cos t-effee live alternative 
to mainfrajne solutions for business computing. 

Users of HP's proprietarj'^ operating system, MFEl/iX, also 
enjoy the benefits of the Model T500 htirdwarc. These sys- 
tems are designated the HP 3000 Series 991/995 corporate 
business systems. They provide high performance by 



supporting froni one to eight processors with superior value 
for tlieir ciass. The MJ^PViX system is designed to support 
business-critical data and offers features such as powerful 
system management utiht ies and tools for peribrmance 
measui'ement. 

bi tliis paper, tlie hardware platfomi for both the HP-UX and 
the MPR/iX systems will be refened to as the Model T500. 
The Model ^fr^OO is an update of the earlier IIP 9000 Model 
890/100 to S90/400 systems, wiiich supported from one to 
four PA-RISC processors operating at 60 MHz. For MPE/iX, 
the Series 991/995 is an update of the earlier Series 990/992 
systems. 




Fig. 1. The UP 9000 Model T500 
corporate businos.^ serv^^r (right) 
is designed as an altcnuiuvc to 
maiiifraiiie sohiticms ior oniiiie 
transactiuu processiiig and othej' 
business compuliiig ap^jlS? nations, 
It nins the HP-LIX oin^riUiEtg sys- 
tem. The same hardware ninuiiig 
the MPE/iX operaiing system is 
deaigiialed the HP 3lNJt,l Series 
991/995 corpora Le busint^ss sys- 
tems. Tiie Model T500SPtl (right) 
is shown here witli various tjeripli- 
erals and expansion uiothiies. 
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Fi^. 2. HP Uin\\\ WtnWl T'lfH) systoni [inn ^-sstng uriti block fliaftraiTL 

Standard feahin^s of tiu^ Model 7500 mtiudo (me In twf'Ivt^ 
symmotric PA-RISC niiilliproct^ssors onlirnizi'd fur ('oiiirnt^r- 
eial workloads and njicratinsal JiM) MTIz. luairunrnujt'y lOii- 
figurations IVoni 128M bytt^s to 2(i byt.c^sj aiul tiLsk storage up 
r.o a maxiniiim (}f Lf) Tbytt^s (1900 Gbytes). This expandabil- 
ity allows the Modt^l TriOf) to pro^ifle a wide range ofperfor- 
inaiK't* and configurahility wilJiiii a single rat) i net. 'Hie Mfxiel 
T500's package niijiiniizes the r(H]niiVft floor spar e, while air 
rooling removes tlie need for expensive ni<iitilratne-tyi>e 
mioling systems. 

The Model T500 is desigoed to provide leading priee/ 
performance. The HP flOOO Mtnlel TFtOf) with six PA-RISC' 
7100 proeessoi's ojH'ratiiig at MtJ MMz h:Ls achieved 2110,5 
traiLsactifnis per minute on the TFC-C benchniaik (U.S.S21 15 
per tpmO.tt The SPECYate (SPEC^rate.int92 ajid SPEC- 
rale fp92) tKnu^hmark results show linear scaling with the 
number of jiroces.s(»rs, whirh is expected for C PI -intensive 
workkiarls with no uuilurij data dependencies. Tlie Model 

t HewJett Packard Journal tmmm^ si/e osnvenKons. 
I ktjyte = I OCN] bytBS IK byies = 1,0?^ bytes 

I Mbyte - 1 ,000,000 bviss 1 M bytes - 1 .0Z4^ bytes - 1 .048.&?6 bytes 

I G hvte = 1 , DOQ.ODO.OOO bvtes 1 G byrts - 1 .024^ bytes ^ 1 ,07374 1 ,B24 byres 

t JbiXG= l.EHK),0l}D.O0O.OOflbyies 

1 1 thfj Transaction Pfocesamg Cetunni rsquires that the cctst per rpiTi be staled as pan ot rhe 
IPC pierfDrmanr.fl ftisults Cos! per Tpm will vary from country to country, ffie cost siatBd hem 

isfurriheU.SA 



T5()0/40O reaches 38 J80 SPE(;rate_fti92 ;ind 23,717 SPEO 
rate, intil2 with twelve processors* 

The Model T500 provides tins Mgh ievel of performance by 
ijsin^ a bahmced bus architecture. The processor memory 
bus curnMiily pr<iv1des the main processor-to-meinory or 
processor-to-I/O interconneef with a bandwidth of 500 
Mbytes/s and a pottnitlal capability up to 1 (ibyte/s. Tlie I/O 
buses piovide a total aggregate I/O l>andwidih of 256 
Mbytes/s. These handwidrhs satisfy the high data sharing 
requirements of conuuercial vvorkhiads. 

System Overview 

The key to the MtKlel TSOO's expandability anci performance 
is its bus structure. ^Fhe processor niemor>' bus provides a 
high- haiid w id! h coh ere nt f rajne work t h at t i e s t b e t ight ly 
roup led syiu metrical multiprocessing PA-RISt' processors 
togeiluT with ]/i ) m\d memory. Fig. 2 sliows a block diagram 
of the Moilel 1'500, 

The processor memoiy bus Is a OO-MIlz bus implemented on 
a l6-slot backy)hme with eight slots suitiible for processors 
or memory' boards and eight slots suitable for I/O adapters 
or memory b*>ards, Eacli sloi can contain i\s many kis four 
moduI(\s, and <"au obi mil ils fuir fraction trf the bandwidth 
provided by die system bus. ( iistf>m cinaih rlcsigns allow 
the bus (o operate at a high fxequenc-y without sac^rificing 
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{)hysiral c onnectivily. To prevent system bus bandwidth 
from becoming a boUlent^ck a.s the nimibcr of processon^ 
mcreases, tJie bus protocol miiuiiiizes bus contention and 
unprofliirtjve I raffle without abiding undue complexity to the 
bus mociules. 

To support such a lai^e number of slois the processor mem- 
ory bus Ls physically laige and has an electric;al len^b of 13 
inches. State-of'the tut \T.S1 design and mechanical layout 
allow the processor memory^ bus to run at 60 MHz — a very 
liigh frequency of operation for a bus of this size. 

The input/output subsystem links t he processors and mem- 
oiy on tlie pjTK'essor memory bus to I/O devices, including a 
variety of networks. Tbc Model T500 supports attachment of 
up to eight Hewlett -i'ackard precision buses (HP-PB), each 
of wiuch connects ni> to \4 1/0 cards. The first HP-FB is uv 
iemal to the Model l^^tJCJ mid the other HP-I'Bs would be 
located m adjacent racks. Each HP-PB comiecls to the pro- 
cessor memory bus through a linked bus converter consist- 
ing of a dual bns convciter, a bus converter link, ajid an 
HP-PB biLs converter. L'uder normal operating conditions 
the bus converters are transparent to software. 

Tlie service processor consists of a single card whose pur- 
pose is to provide hardware control and monitoring fiuictions 
for the Model T5D0 and a user interface to these functions. 
To achieve this j^uipose, the senice processor has comxec- 
tivity to mar^y pHits of the Model T50tl Tbc scan bus is con- 
troUed by the seivice processor and x>ro\i<:les the service 
processor wit ti scan access to all of the processor memor>' 
bus modules. The scan bus is used for configuration of pro- 
cessor memory bus modules imd for manufactiuijig test. 
The service processor also pro\ides tlie clocks used by pro- 
cessor memory bus modules imd controls the operation of 
these clocks. Tlie service processor provides data and in- 
stnictions for tlie processors over the service processor bus 
during system initialization and error recoveiy. The service 
processor connects to the control panel and provides the 
system indications ihsplayed there. The service processor 
provides its user Interface on the ccjnsoU^ terminals thiough 
its coiuiection to the console/LAN cai'd. 

The service processor also contains the power system con- 
trol and monilor, which is responsible for controlling and 
monitoring the Model T500'a power anci environmental sys- 
tem. Tlie main power system receives 200-2 40V suigle-phase 
mains ac and converts it to .100 Vdc. Tliis 300V supply is then 
converted by various dc-tfj-dc converter niodiiles to the 
needed system voltages (e.g., one module is 300 Vdc to 5Vdc 
at 650W.). The powder system control and monitor addition- 
ally controLs the system fans and power-on sigiuds. The 
power system control and monitor performs lis functions 
under senice processor ct:introl imd reports its resLdls to the 
service processor. 

Processor Memory Bus 

Tlie present implenientation of the Model T5O0 uses HO-Mllz 
PA-i^lSC centnd processmg units (CPUs)^^"'^ interconnected 
witli a high-speed processor memo ly bus to support sym- 
n^etric iwelve-way multiprocessing. Tills section focuses on 
tlie feat II res and design decisions of the processor memory 
bus, which ailoxvs the system to achieve excellent online 
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R ^ Real Address 
V= Virtual Address 

Fig. 3. FrfK:t'88f>r niejtiory btLs pipeline. 

transaction processing (OLTP) performance and efficient 
multiprocessor scaling. 

Bus Protocol 

The prticessor niemorj' bus is a synchronous pipehned bus, 
Tlie pj]jellned nature of the bus protocol places it between a 
K|)lit transaclion protocol and ai> af omic transaction proto- 
col This allows the processor meniorj' bus to have tlie 
performance ot a split transaction bus with the lower 
implementation complexity of an atomic trar^sact ion bus. 

The I processor memory bus has separate address and data 
buses. The address bus is used to transfer address and con- 
trol infonnation and to initiate trajisactions. Non-DMA I/O 
datii is also transfened on tlie address bus. The data bus 
transfers nieniory data in blocks of 1 ti, 32, or (54 bytes. The 
processor data bus in the present implementation is 64 bits 
v^ide, altliough t he protocol, backplane, and nieniory system 
also support 128 bit-wide accesses. For 32 -byte transfers on 
the data bus, the availat^le bmulv^ddth is 480 Mbyti^s per sec- 
ond. If processors use all 128 bit^ of the data bus to perforiu 
64 byte tnmsfers, the bandwidth doubles to 960 Mbytes per 
second. 

Fig, 3 shows the processor memory bus pipeline. Four con- 
secutive processor memory bus states arc referred to as a 
quad. A transaction consists of a quad on die address btis, 
followed at some fixed i ime by a quatl on the data bus. 

An address quatl consists of an arbitration cycle, an I/O 
cycle, a real address cycle, and a \4rtual address cycle. The 
arbitration cycle is used by bus masters to arbitrate for use 
of the bus. The 1/0 cycle is nsed to transfer data in the 1/0 
adth-ess space. The real atidress cycle is used to transfer the 
nieniory or I/O address and to indicate the transaction type. 
The lirtual addiess cycle is used to transfer the %4rtual uidex 
for cache colierency checks. 

A data quad conslsiij of four data transfer cycles. Tlie fixed 
time between address and <iata quads is programmed at sys- 
tem initiahzation. Tliis arrange[neut allows multiple pipt^Mned 
I ransactions to be in progress at the same time. Since data is 
retunted at a fuced time after the address quad, the module 
rettiniing data automaiically gets access to the data bus at 
that rime. Tlie set of supported transactions includes reads 
and writes to memory address space, reads and writes to i/0 
address space, and cache and TLB (translation lookasifle 
buffer) control transactions. 
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If a iraiisaction ts iiiiiiateci on the prcxessor memoty bus. but 
a module (either the sla\'e or a ilurd party) Is noi prepared 
to participate iu the traitsaetion, that module has the Q[)tioii 
ofhusifing the transatiion. When the master sees that its 
trjutsaction is busied, it must retjy the tratisaciioa at a later 
tinie. Easy is appropriate, for exaniiile. when the biLs adapter 
is asked to forward a read transaction to the lower-speed 
precision bus (see '*Arbitration*' below for more information). 

For cases in wtiieb a mocUile requires a brief rc^spite from 
piuiieiparing in ircuvsiuiions. ii cai\ woti tfie bus, iliat is, it 
ran freeze all adtiress and tjata bus activity. It does this by 
asserting the wait signal on the bus. The wait facility is 
analogous to a stall in tlie jirocessor pipelme. 

Multiprocessor Bus Protocol 

Tlie prot essor jneiuor>^ hus iirovides cache aiid TLB coher- 
ence Willi a snoop f/^ [uottx'ol, Whenever a coherent transac- 
ticju Ls issued on the bus, eac h processor (acting as a third 
party) perfonns a cache coherency check using the virtual 
index and real address. 

Each lhird-[>arty processor is rt\s|>onsible rt>r signaling cacbt^ 
coherency status al a fixed time after Ihe address (luatL The 
Ihird party sigiuds that llic cache line is in (me of f<iur stales: 
shared, private clean, private (Urly (ir not presenh The re- 
questing processor intcn^rets the coherency status to deter- 
mine how U) nuirk Ihe cat lie line slate (private clean, private 
dii1y, or shared), Tlii* third party also updates ila cache line 
state (no change * shared, or not present). 

If a tlurd party signals that it has the requested line in the 
private dirty slate, then it initiates a cache^ti>-cache transac- 
tion at. a foted tunc* after the address (juad. The R*c|uestjng 
processor discards the data received from main memory for 



tJie uiitial request and instead accepts tlie data directly from 
the tiurd party in a cache4o-cache tr^isfer. At tMs same time 
the data from the third partj^ is written to main memory. The 
timing of these events is shown in Fig. 4. 

Since the processor memory bus allows multiple outstand- 
ing pipelined tnuisactioiLs, it is important tliat processor 
modules be able to perform pipelined cache coherency 
cliecks to take niaKimum advantage of the bus bandmdth. 
Fig. 5 shows an example of pipelined cache coherency 
checking. 

Programmable Parameters 

The processor nieinory bus protocol permits many key bus 
timing parameters to be progranuned by initialization soft- 
ware. Progianuning allows different implementations to 
optijoize ttie ]»ar«imeter values to increase system perfor- 
maiici' and reduce implementation complexity. Initializal ion 
softwaie calculates the minimum liming alU>wed for iJie 
given set of installed hus modules. As new modules are de- 
signed that can operate with smtUler values (liigher perfor- 
mance), initialization software simply reassigns the values, 

Tlu^ i>rogrammable parameters include: 

• Address-to-Dala Uilency The time from the real address 
of the address ijuad to the first data cycle of the data quad* 
The present implemet\tation achieves a latency of 217 
nanoseconds. 

• Coherency Signaling Time. The time required for a proct^ssor 
to perform a c*ache coherency check and signal tlie results on 
the bus. 

• Cacbe-Lo-Cache Time. The time from Uie address quad of 
the coherent rea*! tninsaction to the address quad of the 
cacbe-lo-cache Iransiicnion. This value Ls tiie time required 
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for a processor to do a cache coherency check and copy out 
dirty data. 

• Memory Block Recovery Time, The time it t^es a memory 
block to ret^over from m\ access and become ready for the 
next access. 

• Memorj' Interlea\ing, The memory block id en tiller assign- 
nients, Tiic Jissigii merits depend on the size mu} number of 
memory blocks installed in tJie system. 

Arbitration 

The processor memoiy bus ases three dirferent iirbit ration 
rules to detennine when a nioflule cati get access Id the bus. 
The first rule, used for referent^es to niem«>r>', stales that a 
master can arbitrate for a memoiy block only after the block 
has recovered from the previous access. Bus masters imple- 
mtmt this by obscning all transactions on the processor 
memory bus. Since memoiy references include the block 
ideiitiOer ami the rcco\x^ry times are known, masters refrain 
from arbilralion for a bn^y block. The benefit of this arbitra- 
tion rule i.s tliat. men^or>^ modules do nol have to queue or 
busy transactions, and therefore bus bandwidth is conserved 
because evety memory transaction is a liseful one. 

Tlie second arbitration rule, used for references to I/O 
address space^ requires that a master of a busied 1/0 trans- 
action nol retry Itie transac1i<Jn ntilil fl>e slave hkis indicated 
that it is ready to accept the transaction. The slave irniicates 
readiness by asserting liie original master's arbitration bit on 
the bus. The master detects that the slave has restarted Eir- 
bitration and continues to attempt to win arbitration. This 
nile prevents masten^ from wasting bus bandwidth by con- 
tinually retrying the tiansaction while the slave is not reafly 
to accept it^ and avoids most of the eoinplexity of requiring 
slaves to master a return transaction. 

The third mechanbtu. refened to as disiritmfed priohti/ 
iLst arbitration, is invoked when mnliiple nrasterssinnilta- 
neoiisly arbitrate for the processor memoiy bus. Distriljuied 
priority list arbitration is a new scheme for general aibitra- 
tion. It uses a least -recently-used algorithm to determine 
liriority on the bus, A inasier iiiiplemeuts disnibuted priority 
lis! mbitration l:iy mainiainhig a list of masters that have 
higher priority than itself *md a list of masters that have 
lower priority. ThiLs. an arlnt rating master can determine it 
has won by observing that ikj higher-priorify master has 
arbitrated. Tlie identity of the winning ntasteris driven onto 
tlie 1 processor memory' bus in \he address quad. Mast ens 
then update their lists to indicate t hey now have liigher 



priority than the winner Tlie winner becorues the lowest 
priority on all lists. This arlHtraliun srlienie guarantees fair 
access to the bus by all masters. 

Eleetrka) Design 

The processor memory bus has the somewhat conflicting 
goals of high comiectivity { wliich implies a long bus length ) 
and higli bandwidth (which imphes n high frequency of op- 
eration and a tonespondingly short bus length). A tyi]ical 
solution to these goals might use custom transceivers and 
operate at a frequency of 40 MHz, However, by using custom 
VLSI incident wave switching, kind state-of-the-art design, the 
Model T50(l [irocessor memory bus allows relial>le operation 
at GO MHz over a 18-inch bus with Hi t^ards insl ailed. 

Each board on the processor memory bus uses two types of 
custom bus interface transceiver ICs. The first IC type incor- 
porates 10 bits of the processor memory bus (per package), 
error detection and coneclif>n logic% and two input poris 
(with an intemal 2:1 nujltiplexer) in one 100 [>in qnad flat 
package. This It' is referred to as a t>rocessor nieniory bus 
transceiver in this mticle. Tlie second IC type perfonns ail of 
the above duties but adds arbitration control logic and con- 
trol of 20 bits on the processor memory bus in a 160-pin 
quad flati^ack. Tliis IC is referred to as an arbitration and 
address buffer in this article. The arbitration and address 
buffer and the processor memory bus transceivers iu'e 
implemented in HP's O.^micrometer CMOS process. 

Fig. 6 show^s the basic processor memoiy bus design. Each 
processor memoiy bus signal line has a ■14-ohm termination 
resistor tied to IW at each end of the bus. Each cm d installed 
on the processor memoiy bus has a scTies tenniuating resis- 
tor of 22 ohms between the comiector mid a correspcmding 
bidirectional buffer transceiver for the processoi' memory 
bus> 

For asserted signals (active low) the output driver transistor 
in Fig. 7 turns on. This pulls the 22-ohm resislor lo approxi- 
mately groimd wliich (through the resistor divider of 22 ohms 
and two ^J4-ohm resistors in parallel) piills the processor 
memory bus signal to approximately 1.0 volts. On deas- 
seried signals tht> (output drivt^- is off and the 34'Ohni resis- 
tors at each end nf die bus laill the bus \u a high level of 
appniximately 3V. 

The receiver (a greatly simplified vei^ion is shown irt Fig. 7) 
is a modified differenrial pain One input of tJie difft^rential 
pair is connected to an external reference voltage of 2.55V, 
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• IM-byte instruction cache (I cache) and IM-byte data cache 
(D cache) per module, 

Performajice Improvement 

Relative ti> ius pre<^lecessor. the Model T500 s processor 
board SPEC integer rate Is Improved by a factor of Lf* times 
and the SPEC noatmg-pomt rate is impro%'e<l by a factor of 
3.4 times. T\\e Model T5(X) s processor pcrfomiance relative 
to it;s predecessor is sho^n in the table below. 

Model T500 Model 890 

CPU Clock 
Bos Clock 
Cache Si^e {per CPU) 






T\h-^ <iHier input of the riifferential pair Is connected to the 
l)rocessor utemnr>' bus. Use of a differential pair receiver 
allows incident signal switcliing (i.e., the fii^st transition of 
the signal is detected by the receiver) and precise level 
control of the input switch point. 

The 22-ohni series resistor performs several important fimc- 
tions. First, wlien a transceiv€*r asserts a signal, the resistor 
limits piill-dowTi current. Second, for boards w^here the trans- 
ceiver is not driving, the 22-ohni resistor helps isolate the 
processor memory has fn>ni the capacitive iuul inductive load 
present eti by the inactive buffers mid hoaid traces. LiLstly, 
the 22-0 lull resistor helps dampen transient waveforms 
caused by ringing. 

Processor Board 

Tlie processor board used in the Model T500 is a hardware 
performance nppjrad*' produtt that replaces the original pro- 
cessor hoard (jf Ihe 111* JMIOO Mo<lel 890 coq>orafe hUxSiness 
server VViih u]) to tw^o processor modules per ])rocessor 
btjaixl, I he dual processor boarfi allow^s the Mcjdel T500 sys- 
ttnw It) arhieve up to twelve processor systems. Additionally, 
the use of the PA-RISC 71(H) |>rocessor improves unipro<*essor 
perfonnance. The key feaiures of the Model Tr>()0's processor 
include: 

• Direct replacement of the original processor board (cannot 
be mixed with cjriginal processor homds in the same system). 

• Increased rTmltiprocesstng performance with support for 
one to twehe CPUs. 

• Pnicessor modules based on fJO-Mllz PA-RISC 7100 CPIT 
chip''^ with nivchijj float ing-pciint co])rr»cessnr for higher 
iiniprocessfjr integer anil lloai ing-point peifonuance, 

• Processor modules thai all<iw single-processor smci diuil- 
processor configurations per processor slot, Eiisy field 
upgrade to add a secxmd processor module to a single 
processor module board. 

• Processor ehx k fretjut^u^y fH) MI Ix, prot^essor memory bus 
clot^k frequency r>0 MHz. 



SPEC!nt92 
SPECft>92 

SPEC iate_intn2 (1 CFIT) 
SPBC:rate_int02 (2 CPUs) 
SPBCrate_int92 (4 CPUs) 
SPECraie_im92 (S CPUs) 
SPECrate_int92 ( 12 CPUs) 
SPECrate_^f)2 (1 CPU) 
SPECraie_fp92 (2 CPUs) 
SPE(^rate_fpM2 (4 CFVs) 
SPE(^rale_fpn2 (8 CPl^s) 
SPECratc_fpfl2 (12 CPUs) 
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Hardware Overview 

The Model T500's processor iH^ard consists of one or two 
processor modules, a set of 12 processor memory hns trans- 
ceivers (4 address mid B data hus tnmscejvers), an arbitra- 
tion iind atldress buffer, tw^o processor interfat c chips, two 
sets of duplicate tag SRAMs, E(.'L clock geiierariou circuilrj^ 
four on-card voltage regulators, scan logic circuitry, coimec- 
tors, a iirintt^d tircnit lioard, imd mechimi<*al lijirdware. Fig. 
H shows die prcicesstjr lioar<l hanUvare block diagram. Fig. fl 
Is a pluJtograph of a processor board with two processor 
modules. 

Processor Modules 

The i)ro£H'ss(jr h*>ard is centered around two identical, re- 
movable processor modules based on the HI* 1*A 7100 CPU 
chip. Each module consists of a CPl; chip, 2f:i SRAMs which 
umke ui> ihe 1M4)>1(^ inshiiclinn cache (I caclie) and IM byte 
riala cache (D cache*), a i.l-iiirh-hy-4.44nrii 1 24ayer imnted 
circuit boiu^d, and a 100 piri P4HiS comu^cton 

Each processor module communicates with its processor 
interface chip llirough a 60-MHx, 32-bit multi[)lexed address/ 
data bus calU^d the P-hns. Ea<di module has a dedicated 
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Processor IVTemorv Bus 

P-bus* The P-bus has l35 data and address lines and iS 
control lines. 

Thp I cache and 1) rarhe earh have the following features: 

• Mbit actress (I rartie H4'hil doiii>U'-wjde word, l> cache two 
32 -bit words) 

• Direct mapped wit.li a hashed atldress ajid virtual index 

• Bandwidth up to 520 Mhytes/S 

• I and I) cache bypassing 

• Parity error detection in both I and D caches (parity errors 
in the I cache cause a refetch of the offending instruction) 

• 32-byte cache line size. 

The CPU chip has tJie following features: 

• Level 1 PA-RISC implementation with 48'bii virtual 
addressing 

• AddR\sses up to 3.75G bytes of physical memory 

• Multiprocessor cache coherency support 

• TLB (translation lookaside buffer) 

o 120-entry unined instruction and data TLB 

r F\illy associative with NlJli (uol used recently) 

replacement 

4K page size 

• Floating-point coprot^essor 

: Located on-chip 

- Superscalar operation 



Fig, 8, Proeei^or board 
orgaitiiKition. 




Fig. 9* MtxJel TM\ pmro-s.sDr hoani w\\\\ two Eirocf^sstir loodiiles. 



c Multiply, divide^ square root 
Floating-point arithmetic logic unit (FALLF) 

• P-bus system interface (to hus interface chip) 

• Serial scan path for test aiif I debug 

• Operation from dc to 90 MHz 
^ Perforniance improvements 

Load and clear opdmizations 
llaidwaie TLB miss handler support 
Ilardwaie static branch prediction 
■ 501-pin interstidal pin-grid array package. 

Processor Interface Chip 

Each processor interface clup transn^Ls transactions hetw^een 
its CPU and tiie rest of the system (memory, I/O, and other 
processors) via the ]>rocessor memory bus. Tlie processor 
interface chip for each processor module interfaces its CPU 
( through the P-bus ) to the the processor niemoiy bus traiis- 
ceivers and the arbitration mid address b idler. Tlie CPU's 
line size is 32 bytes, so the processor iiuerface chip provides 
a fi4-bit data interface to (he iMucessor memory bus Irans- 
c elvers. The two processor intertace cliips ronuiuinicate 
through separate ports oji the processor rnemoty bus trans- 
ceivers, which provide the reqmred multiplexing intemally. 

Each processor interface chip also contains an interface 
that allows it to conununicate with self-test, processor de- 
pendent code (boot and eiTor code), mid processor tiepen- 
dent h aid ware ( tjnie-of-day clock, etc.) on the senice pro- 
cessor board. The processor interface cliip is i nip 1 em en ted 
in HP's O.B-niicrometer CMOS process and is housed in a 
40S-pin pin-grid anay package. 

The proce-ssor interface chip has two feature^) to enhance 
the rnuhiprocessorperfomuince of the systejn: duplicate 
data rache tags and colieretU write buffers. The coiietent 
buffers support the processor memory bus's multiprocessor 
implememation of caclie coherence protocol. 

Duplicate Data Cache Tags. The interface chip maintains its 
own (lui)licate copy of the CPL' s data cache tags in t>ff-chip 
SKAMs. The tags contiiin the real address of each cache hne 
ajul the valiti and private bits (but not die diity Int ). The du- 
plicate cache tags are kei>t consistent with the CFl's data 
cache tags based only on ti\e transacuons through the inter- 
face chip. The thi|>ht ate tags allow the interface chip to sig- 
nal the status of a cache line during a coherent fxansaction 
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mcctsyred liy results of cache coherency checks* 

without querying the processor (which wotild reqttire a pair 
of transactions on the P-btis). Measurements (using Ihv pro- 
cessor interface chip's built-in performimcc counters) for a 
wide variety of bcnciuuarks show^ that for 80 to DO percent 
of coherent transactions, the cache Une is not present in a 
ihird-party CPU's data cache, as showTi in F\g. 10. The dupli- 
cat.e lags increase system perform art ce to varying degrees 
for diHerent workloads. Measuremeiiis on a four-processor 
system show duplicate tags increase system rlrioughput by 
M) for a C'PlT-jjt tensive workload aaid 21% for a niulUtaskiug 
workload. 

Coherent Write Buffers. To isolate? the CPU from traffic on tlie 
hus, th(^ interfact" (hip conlains a set of five cacho line write 
IjulTei's. Tlie bvilTei's are airanged as a circular Fll^^t ) usemory 
with random access, 11" the CPU writes a lint* to tncinory; Hie 
interface chip stores the Une in one of its biitfers lailtl it t. an 
win arbitration to write the line to ntemoiy^ Wfiile the line is 
in a buffer, il is t t>nsidenMl i>art of (he CPUls cachi'd daia 
from (he syslem hiis jjoint (jf view and participates in eotier- 
ence t^hetrking on ihe bus. These bLtlfers are also used iov 
temporal' storage of da la sent from the cache as a result tjf 
a coherency check that hits a dirty catOie line. By having 
many buffers, Hie inleriace chip is able to h^mdle nniltiple 
outstanding coherency checks. 

Pipeline 

The PA 7100 pipeline is a five-stage pipeline. One and a half 
stages itre associatetl with instruction fetching and tliree aiKi 
a half stages are associated with instmction execution. The 
PA 7i00 also has tlie abihty to issue and execute floattng- 
lKiLn( instmctions in partillel with integer instructions. Fig. 11 
shcms the (THI pipelim\ 

Inslnictton fetch starts in GKl of stage F and en<is in CKl of 
stage t, Por branch i>redi(iinn. tJie branch attrhcss isc;ilcu- 
laled in CKl of I and completes by the end tjf CK2 of L Thti^ 
address is issued to the f cache. 

From CK2 of I to CKl of B, the instxtiction is de(X)ded, oper- 
ands ait^ Fetchedt ^uid th<* ALII and SMU (shift merge unit) 
produce llieir results, I'he data caclic addn^ss is gtMU'tat c<l 



by the MX liy iJie end of CKl of B. For branch prediction, the 
branch address is calculated in CKl of B and completes by 
theendofCK2ofB, 

Data cache reads start in CK2 of B and end in ZKl of A. Load 
instructions and sub word store instructions read the data 
portion of tlie D eac he during this stage. For all load and 
store instmctions the tag portion of the D cache is read dur- 
ing this stage. The tag |>ortion of tJte D cache is addrc^ssed 
independently from the data portion of liie D cache so tfiai 
tag reads can occur concun^nlly with a data write for the 
last store instruction. Bram^h condition evaluation is com- 
pleted by the end of CK2 of B. 

The PA 7100 CPL' maiit tains a store btilTer which is set on 
tJie cycle after CK2 of A of each store (often CKl of R), General 
registers are set in CK2 of R. The store buffer can be written 
to the D cache starting on CK2 of F? and contimiing for a total 
of two cycles. The store btiffer is only written on CK2 of R 
when one of the next iiLstructions is a store instruction. 
Whenever tire next store instniclion is encountered, the 
store buffer will be written out to the cache. 

Clock Generation 

The clock generation circtiitiy provides GO-MIIz and 90- MHz 
differential clock signtds to the processor memory bus ititer- 
face ports and the processor modules, respet lively The 
Model T500's processor t>oar(l uses a hyl)ri<l phase-locked 
loop component developed especially foi^ the Model foOO. 
The phase-locked loop generate-S a synchronized DO-MHz 
processor clock signal from tlie (l{)-MHz processor memoiy 
bus clock. Clock distiiljuiion is hy differential ECLbuffei"s 
with supplies of +2.0V aiid -2.5V. The use of offset supplies 
for the IjCL allows oi>tinial tennination witli the 50-ohm 
term inat ion resistors tiett directly to ground, and allows 
clock signal leveis to be compatible witli tJie CMOS clock 
receive i*s. 

Thert* is no system support for hailing clocks, or for single- 
slepifing or n-stepping clorksn The scaJi tools do, however, 
allow halting cUn^ks within each of die sc;nuialile VTJi^l cliips. 

Scan Circuitry 

The prot:ess(>r boards scan cLrcuitry intertacc»s to the service 
processor's four-line serial scan port and enables tlie user^ 
via lite service processor, to scan test each of tit e VLSI chips 
and transceiver groups selectively. The arbitration ;ind atl- 
firess tmlTer t:lup can be s^^aimed independ*Hidy. whereas the 
address (4) and data (8) hus transceivers are chained. Tins 
scan feature is used as a fatilt analysis tool in mat lufactti ring. 

Printed Circuit: Board and Mechanical 
The processor board uses a 12-layer cons(Tta*Uon and has an 
approximate o vent I! thickness of 0.075 inch. Among the 12 
layers arc six signal layers, three ground layei:s, and three 
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voltage plane laytu^s. t-ytmatc ester dieieclilc iii ale rial is 
used for its ftister sigiiaJ propagation speecJ over FR-4 mate- 
rial and its ab HUy lu achieve reduced board thielcness for a 
given 1 raee irnpetlance. The nonniial signal trace impedance 
is 51 ohnis for all high-speed signal nets. 

Everj' atlenipl was made to kee[i high-speed stignal traces 
closely coupled to a ncigliboring groimd layer to mirTimlite 
sigfial peTtiirbations and EMI. Bypass capacitors kwe distrib- 
uted liberally across the board to suppress Iiigh-frequeney 
noise, EMI tiecoupling Lcchniqucs consistent with the other 
Model T500 boards aiT used Lo direct conunon-niode noise 
to chassis groimd. 

The dimensions of the processor board ai'e l(i.90 Inches by 
7,35 inches. The two processor modules extend beyond the 
7.35-inch dimension by api>roxin lately 3,25 inches and are 
suppoiled liy a sliet-l -metal exteiKler which effectively 
makes the board assembly 14 inches tieep. The motkiles are 
moimtetl paiallel to the processor boanl and the sliect-melal 
extender and aie secured by screw^s and st^indofl's, Tlie 
sheet-metal extender also has a baffle which directs forced 
air across the modules for hicreased cooling. 

Input/Output Subsystem 

The IIP 9000 Model T500 represents a major advance m the 
areas of liigh I/O tliron^iput and highly scalable connectiv- 
ity. Tiie Model T500 system pro\ides laige aggregate VO 
throughput through live rephcation of input/ontf>ut biLses 
with large slot counts. These 1/0 buses Lu-e airanged in a 
two-level tree, A bus converter subsystem eomiects fire pro- 
cessor memory bus of the Model T500 system with the 
Hewlett-Packard precisioiT bus (HP-PB) I/O buses, as shown 
in Fig. 12. The bus converter subsystem consists of a proces- 
sor memory bus converter, a bus converter link (see Fig. 13), 
and an HP-PB bus converter. It tnmslates the logictil protocol 



and eJectrictil signaling of data transfers between the proces- 
sor memory bus and the I/O ctuds on tlie IIP-PB bus. 

The I/O subsystem guarantees data integrity and provides 
high rehabihty through parity protection of all data and 
tnmsactions and througli tlie haidwai'e capability ot online 
replaceable cards. 

The bus converter subsystem is transparent lo software 
mider normal ot>erating conditions. Bach 1/0 module on an 
IIP-PB 1ms ui tlie system is assigned a range of physicaJ 
memory addresses. I/O modules appear to softw^are as sets 
of registers. 

All modules can be DMA capable and generally implerneoL 
scatter/gather DMA controllers. These scatter/gather DMA 
controllers allow virtually contiguous data located in physi- 
cally noncontiguous pages to be transferTed with minimal 
(■Pit assistance. A chain of DMA commmids is written into 
lueruory by the processor The 1/0 carci is notified of the 
locatior^ of the chain and that it is reatly for use. The I/O 
t:aJ d then uses the scattcr/gathei^ DM.^ controller to follow 
the chain and execute the coiuniiinds. hi tliis maimer the I/O 
card can write data (scatter) to dilTerent physical pages dur- 
ing the sartie DMA operation. The I/O card can also read 
data (gather) from fiifferent jihysical pages during the sarne 
DMA operation. Ulieu the I/O card niijshes all of the com- 
mands in the chain, it notifies the processor, usually through 
an interrupt. 

Tlie proc^essor metnory' bus converter is a dual bus <'on- 
vcrter that cotmects to two HP-PB buses tlirough a {lair of 
cables and tlie HP-PB l>us converter. The HP-PB bus con- 
verter is plugged into a slot in an HP-PB expansion module 
and provides the central HP-PB bus resouices of arbitrafion, 
clock generation, and online replacement signals in addition 
lo the connection to tlie processor menrory has. 



16 June 191M Hpwl<*Il-rackarfi ,Iounia] 



)Copr. 1949-1998 Hewlett-Packard Co. 



Each HP-PB expansion module is a 19-inch rack-niountable 
assembly iliat ciJimects any combination of up to 14 single- 
heiglit or 7 double-heighl cards lo the HP-PB biLs. A Model 
T500 supports connection of 1 12 single-height HP-PB cards. 

Bach HP-PB bus is a 32-bit multiplexed address and data bus 
witli byte-wise parit\' protection and additional paritj" protec- 
tion across llie control signals. The frequency of operation is 
fixed at 8 MHz, leading m a peak bandmdlh of ;J2 Mi>>nes^s- 
The aggregate I/O rale for file Motiel TMWJ system is iJtus 
256 Mbytes/s, 

The IIP-PB I/O fimction cards inriudc "m m. sa^L wiut' 5L SI, 
FDDl (doubly corineiletl), Klhen^ei LAN, token ring LAN, 
HP-Fl. nberlijik cOsk connect. IEEE ASH (lEC 025), X.25 and 
other WAN comiecls, lenmiiiil tuuhJplexer cards, ajtd other 
I/O funct ions. Using HP-FL canb and HP t '2250A disk armys, 
the corijordle busiiiess sener liardwaie cm\ suppfirt over 
li* terabytes of ilisk storage on over 10(K> dLsk spindles. 

Processor Memorj' Bus Converter 

The Model T500 accepts up lo four proct«:iSor lueitiory bus 
convert ens plugged iiilo the processor nieiiior>' bus back- 
plane, fclach processor jueiiiujy bus converter consists of 
two logically separate upper bus converter modules shaiing 
a single bus interface (see Fig. 13). ITiis reduces the eleiiri- 
cal loading on tjie [processor nteuior^' bus while prtA'iding 
tile necessary fattout for a high-coiuiectivity 1/0 subsystem. 

The processor menior>'^ bus converter provides resource- 
tlriven ^ubitratioii and transaction steering on the prot:essor 
memory bus for Irajtsactions involving the I/O subsysteiii. 
The processor meniurv bus ci^nvi^rier provides a maximum 
bandwidtJi ot'lH] Mtaytes/s. TraiLsat lions UuHMigh (he prcnes- 
sor niemciry bus converter aiv parity [)rolcctcd, iuid error 
correctiug code is generated and <:liecked at the processor 
memory bus interlace to guarantee data and transaction 
integrily, 

Tlie upper bus couvi'rter luotUiles ;ire implemcuted in cus- 
tom CMOH20 VLSI chips in lOS-pin [)iji-Krid array ijackages. 
They ariiiirate wiiti eacfi olber fojiiie pro< essor rnetnoiy 
bus interface chips on tlie processor luemoiy bus sitle and 
implement the bus converter link protocol on the link side. 

The processor memory bus interface consists of 12 bus 
transceiver chips (eight data and ftjiu' atklress) and an ar- 
bitration and acidress bulTcr chip. These chi}}s are used in a 
two-motlulc mode. The data bus lrausct*ivrrs drive indepen- 
dent bidirectional tlata f)iLses to the t w'(j upper luis converter 
modtile chips. The address bus traiLsceivers dri\^e a single 
ui\idirect ional address to both bus converter chips, but re- 
ceive ijKiependent atldress Ijuses from the two upper bus 
converter chips. 

The |>roc(^ssor meuuny bus converter also provides discrete 
irtdustry-standiiJTi logic to tniiislale the inis ctmverter link 
signals I between the CMOS levels <*f the ujiper bus ctjuverter 
chip and l.he +5V ECL levels of die link cable. 

Bus Converter Link 

Kach of I lie two utipcr bus converter j nodules connects 
Uirough two cabk^fs tu a lower bus convi-ilcr muihilc, the 
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HP-PB bus c<jnvt*rt er (see Fig. 13). Each cable is a high- 
p ertV >r 1 1 1 mice SO-vf mt 1 u c I o r fl at ri I >b on i 1 1 s u I all ( )n * 1 i.st) 1 ace- 
inent t t^nnector cabU' whit h allows I be Itjwer bus converter 
module and the HP-PB (expansion itiodulc lo be located up 
lo 10 meters away. Tliese cables and tlu' t^t**^*^^^'^-*' l^^^t is 
used on them mtike up the hius con veil ei" link. 

The bus converter link protocol is a propiietary protocol 
allowing pipeliniJig of two tiansactions with fmsitive ac- 
kmiwledgmi^nt. The signals mv point-l.o- point +5V ECL dif- 
ferential signals, two bytes wide and parity protected. The 
status inft^rmatirm from the opposite bus converter module 
is embetldixi in the link pro1oct)L *f he signaling rate across 
tlie Ims conv(>ner lijik is one-hulf (lie processor memory bus 
frc*quency or :JtJ MHz in the Mfjdel T500 systenin The peak 
bus converter link baiidwitith is tlierefore fjf) Mbytes/s with 
an avt^agc^ protocol overliead of lifi^K The adclress overhead 
is Oil thi" cMxIer of 20% leaving an average ciaia irattsfer rate 
of 42 Mbytes/s. 

HP-PB Bus Converter 

Thc^ 1 IP l*B bus converter connects the bus converter link to 
thi' MF-PB l>n.s in the HP-Pl^ cxijansion module. In ad<iition 
to I lie bus convert t*r functtojis, I he HP-PB bus <unvert:er 
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provides the centml resources For the HVVH \n\s (o wfiich it 
connect-Sj iiicliuling Ini.s dock generation, arbitral ioti logic 
and online replacement power-tsn sigiiaLs, Tlie bus clock gen- 
eration aiid arbitration are performed by discrete jndustr>^- 
stiindaiTl components on the boaixl. The HP-PB bus converter 
functions are implemented in a custom CMOS26 chip iti a 
272-pin pin-grid array package. Electrical sigi^al level transla- 
tion between tlic CMOS of the lower bns converter chip and 
the +5V ECL of the link cable is r)erformet] using the sj;mie 
discrete industry -standard components iis are used on tJie 
processor nieniory l>us convener, Tlie HH-FB bus coriverier 
acts as a concentrator for rbe 1/0 tralTic from the HP-I'B 
cards bomid for the system memoiy or the processors. 

The HP-PB bus converter onplenients a speculative prefetch 
for DMA reads of memory by HP-PB cards {data transferred 
fron^ memory to ai^ I/O device under tlie I/<.) card's control). 
This provides greater perfomiiuice by r>ffseiting the transac- 
tion and n^emoiy latency. The pjefetrli algorithm always has 
two read requests in the tiansaction pipeline to menioiy (see 
Fig. 11). Mien a read transaction to memoiy Ls accepted iV>r 
forw^arding by the IIP-PB bus converter, it forwards tlie fin^t 
read anti tberi issues a second read request with the address 
incremented by the length of ttie original read transaction. 
As the data is returned to the lequester, a new read transac- 
tion \^ith the address increment efi by twice the length of the 
transaction is issued on the bus converter link. The pre- 
fetching stops when the I/O card does not request the next 
read in the next transaction interv^aJ on tlie HP-PB bus or 
when the address generated would cross a 4K page bounil- 
aiy. Speculative piefetch increases the possible read data 
bandv^idth from 3 Mbytes/s to over 18 Mbytes/s. 



The HP r*B bus converter supixjrl.s fJMA writes at the ftill 
HPd*H <lata bmidwidtlv of 18 Mbytes/s lor IG-byte writes and 
23 Mbytes/s for 32-byte writes. The difference between the 
peak bandwidth and the data bandwidth represents tlie 
effects of the address overhead and bus tumaroimd cycles. 

The HP-PB bus converter carries parity through the entire 
data path an<l checks the parity before forwai chng any trans- 
action onto (he link or the HP-PB bus to gnat air tee data and 
transaction integrity. 

The HP-PB bus converter and HP-PB backplane in the 
HP'PB expansion module together provide the liai'dware 
atid niechanLsms to allow online re|>lacenient of HP-PB 1/0 
cards. The HP-F^R l>us converter provides a read/w^rite regis- 
ter through whi{ h the power-on signaJ to each HP-PB card 
can be controlled independentiy. Wiien this signal is deas- 
serted to im HP-PB card, the card's bus drivers aie tristated 
(set to a high -impedance state ) and the card is prepared for 
withdrawal fioni the IIP-PB expansion module. The HP-PB 
backplane provides the proper mdiictance and capacitance 
for each slot so that a card ctm be withdrawn while the sys- 
tem is powered up without disturbing the power to the adja- 
cent cards. Tlte hardware online replacement caimbllity 
makes possil>h^ future enhancements to the Model T500 for 
even higher aviiilability 

Logic in the HP-PB expansion module monitors the ac 
powder uito the module and mdicates to the HP-PB bus con- 
verter \ia a backplane signal wlien power is aljout to fail or 
wiien the dc volUiges are giving out of specification. Tlie 
powerfail warning signal is passetl uij throtigh the bus 
converter moilules to allow rhe iModel T500 system to 
prevent corrupllon of the mac lane state. 
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HP Precision Bos 

The HP-PB is a multiplexed 32-bit address and data bus 
With a fixed clock rate of 8 MHz. The HP-FBs in the Model 
IWil sj'stem are completely independent of the proiessor 
memofy bus clocks. The HP-PB biis convener synchronizes 
the data between the HP-PB and the bus converter link. 

Tlie HP-PB provides for global 32-bit addressing of the IK) 
cards and for flexibility- in addiess assigiynejit, Eac!r HP-PB 
is allocated a niininium of 256K bytes during configuration. 
This address space is cvenJy divided betwreen L6 possible 
^ols. Each slot on the HP-PB supports up to four 1^0 mod- 
ules, each of which is allocated a ^lK-43yte address space. This 
4K-b>ie space ts calletl the hard physical address space. Any 
module that requires adtiilional address space is assigned 
address space at ihe next a%'aiiable bus address. This addi- 
tional address space is called the soft physical address sjmt*^- 
Soft physical a(l dress space ^tssigned to all l/t3 modules on a 
single HP-PB is contiguous. The processor niemojy l>us con- 
verter detemiiues if a tiimsactitHi is bound foi' a given HP PB 
by cliecking (or inclusion in rhe range detennined by the 
hard t>hysjca] afi dress and soft physical address space of the 
HP^PB. 

Tlie hard physical address of an I/O card contains the con- 
trol and status registers defined by die PA-RISC architecture 
du-ougli wliich softwaie ciui at cess die i'O card. Each HP-PB 
card has a boot ROM called the 1/0 dependent code ROM. 
which is accessed by indirection through a hard physical 
address. This ROM contains i he rani ideniilKation, configu- 
ration parauieiers. test code, aJid possjlily l>oot code. The 
Rl depentlent cotle ROM allows I/O carfis to be c*orifigured 
into a system before the operating system is nmning and 
allows the operating system tn link to the conect diivcr for 
each cai'd. 

The HP-PB transaction set m sufficiently rich to sui>porl 
efficient I/O, Tliere are three classes of rraiisiulions: write, 
read, and clear or semaphore, Eacli ininsat lion is aiomic 
but. the HP-PB bus protocol provitles buffered writes for 
hij*h perfornuince aiul provides a husy-retr>' capatjilily to 
allow reads of uieuioiy to be split, providing piiiallHi.siu and 
higher handwidtlL Each f IP-Pfi transact ion specilles die data 
payload. The transiiclion set suppoils li'vuisactioiis of 1, 2, 4, 
16, and:J2 bytes. DMA is (K^rfonned using 15-byte or -1^-byt.e 
trausaclions inifialed under tlu^ conln>l of the I/O cant Kiuh 
HP-PB Irausactinri contains inforniatior^ about Nte uiasU^r of 
die trarLsaction so that etrom can be reported and data easily 
retmiied for reads. 

The HP-PB and I/O sul>system provides an efficient, llexible, 
and relialile means to achieve iiigh I/O tlirouglipul ^md 
highly scalable connecdvity. 

Memory System 

The menior>' subsystem for tlie HP iHM) Model TnOtJ corpo- 
rate husiness server uses 4M'bit DRAMs for a 256M-byte 
capacity on e;ich board, h is exfjajidiihle up to 2(1 liyfesof 
erTor-correclin>^ meuioiy Ttr Miiiiijiiize access hUency in a 
mull i] processor en vinMiineni, the tneniory subsystem is 
higlily [fUerleaved tx> suppt^rt concurn^jit access from multi- 
ple prt^cessoi'S and 1/0 uioduk^s. A single memoiy l>oai"d cmi 



contain 1, 2, or 4 interleaved banks of 64M b>ies The combi- 
nation of inierleaiiing and io%v latency for die board provide 
a baxKlwkhb of 96() Mb>les/'s. Ftinhermore, different-sized 
n\en>or>" Ixjards using different generations of DR.^\is can 
coexist in the system, alIov\ing fiiture memory expansion 
while preserving customer memory investmenis. 

From the siandpoim of complexity, the memor\^ board b the 
n^ost sophist j(*ate4l hoard in the Model T5IK) system. To meet 
its perlbmiance rettiuremenis. the design lises leading-edge 
printed circuit teclmologies aiid new tKjarrI tnaterials. These 
are described under "Manufacturing" later in litis article. 
The memory board includes 4273 nets (or signals). 218^3 
components, and over 28,850 solder joints. Doublc^sided 
surface momil iissembly provides high component deiwly, 
Ttie 2 183 components are mounted in an area of only 2^35 
stiuare Inches. 

The processor memory bus electrical design limits the length 
of the bus for GO-MHz operation to 13 inches. ConsequenUy, 
tlie memory board design is considerably constrauied. The 
limited number of slots requires the capacity of each uiem- 
ory boai'd to be lijgh. The short Ijus lengOi makes each of the 
slots narrow, forcmg a low profile for each nieutorj" boai cl 
Bus transceivers are located close to the connector on each 
daughter card to keep stub lengths lo a niinlmunt 

Memory Interleaving 

Menioiy boards are nianufactuied in 6^1 M -byte, 128M-byte, 
and 256M-hyte capacities. The li4M-by1e and 128M-byie 
memoiy capacities aie achieved by pailially !oa<Jiug llie 
256M-byte boaid. Memory interleaving tends lo distnbute 
memory references evenly among all blocks in the system. 
In the event that two processors desire to access memory^ in 
cojisecutive quatls, iulerleaving fjrovidesthat tlie second 
access will likely be lo an idle bank, ^fhe luerutuy design for 
the Model T50U allows the ijenefits of iiUerleaving to he 
based on the total nmnber of memory banks installed in the 
systeui. regardless tjf the luuuber of boards that thebtmks 
are spread across/^ Hie processor meuiory bus [jrotocol 
maximizes peiforniauce by interleaving all the hanks evenly 
across the entire physical address space, regaiTlless of tlie 
nmuber of banks. Ttiis is suj(erior to interleaving schemes 
that limit the etfect of interleaving to numbers of banks that 
are powers of two. 

Memory Board Partitioning 

Paiiilioning of the meiiiory board into VLSI chit>s follows 
til*' retjuirfiueiUs of ihe [)R.\Msand the tituik organization. 
This partitioning is illustrated in the mt^niory board block 
tiiagram, Fig. 15, 256M-byte capacity with single-bit error 
eorret tion requires 576 -fM-bit DKAMs. each of which is 
organized as IM by 4 bits. (Mbyte data transfers iUid ntini- 
mizefi latency require a 57(>bit bidirc*ctional data bus fV>r 
eacli fjank's ML^Ms. The effcnt to minimize late*ucy imd the 
restiicijou of the processor memoiy bus tfj niurow sl<)l:s fire- 
vfufed the use of SIMM mod ides sijiiiky to tlutst^ nst^d in PCs 
iind worksiations. The fixed timing rclationshiiis on die pro- 
cessor memory bus required tliat there be four of these 576- 
bit data buses for the four b^uiks on the 25tiM-i)yte memory 
ijoard to prevent contention tn^t ween writes tt> one bank ;ind 
iva<ls from another bank. A mulliplexing function is prcjvided 
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between the foiir slow 576-bit DRAM data buses and the 
60-MHz 12S-bit data bus of tlie processor memory bus. 

To iniplemenl thesr reqinivnuMits. a nel of five VI.S1 vh\]}s is 
used. As ifU^iMitit^fl un ih<r' lilnt k tliagran^ Liiese me: 

• Bus transceivers. Tliis design is also used on the processor 
and bus ronverter l>oaJ'ds. 

• ArbitiTition aiid atlriress buffer. This cliip provides for arbitra- 
tion and acts as an addit ioiiid pair of address transceivers. 
Tills tiesign is also used on the processor and bus converter 
boards. 

• Memor>' array data niultipfexer (MADM). This chip multi- 
plexes die slow DRAM data .signals to a pair of uniihrectional 
GO-MHz, 128-1 III htises ft Kind (rom the data transceivers. 

• Memory aixay address clrj\^er (MAAF) )h ITiis chip drives ad- 
dress and RAS and CAS to the DRAMs. It b a n^odified version 
of a standard commercial part. 

• Memor>' access controller (MAC). Tliis chip provides the 
overall control iiinction for the memory boaid. In pailicniar. 
the MAC uupknnent.s tiic required arcbilec'tural featmes of 
the memory system and controls DRAM refresh. 

Except for the MAAD, which Ls in a 44-pin PLCC (plastic 
leaded chip canier), each of these ICs is a fuie-pitclu quad 
flat pack (QFPl conii>oueiii, with leads spa< ed 0J)25 inch 
apart. The bus transceiver ajid MADM are packaged in 



100-pin QFPs and the arbitration and address buffer and 
MAC are in H>0-pin QFPs. The full 25GM-byte board includes 
20 bus transceivers, one arbitration ant J address buffer, 72 
MADMs, 16 MAADs. and one MAC as well as the 576 4M-bit 
DRAM chips. 

Fig. 16 is a pholugrrtph of die 2ri6M-b>te meuuny hoard. 

Printed Circuit Board Design 

In addition to icstriclions on the memoiy boajd i^aiised by 
the processor memoiy bus design, there were a significant 
mm^berofothei' electricjil design and manufacfuringreciuire- 
n rents on the t>oanl flu^ onlxjard ver^siou of the processor 
n lei IK n')' bus address bus is a 3L70-inrii, 6U-Mllz unidirec- 
tional l)us witli Ki loads on each line. There aiv two 12 8- bit, 
60-MHz, 9. IS-inr^h buses widi five loads on each line. With 
the laj^ge number of components already rei|iiired for the 
hoard, it woultl not iiave been feasible to terminate these 
buses. Tlie clock tree for the \T.SI on the botu d feeds a total 
of 94 bidirectional shifted ECL-Ievel inputs and IG single- 
ended inputs, with a goal of less llian 250 ps of skew across 
all 110 inputs. The size chosen for die niernorj^ Imiad is 
I4J)0 by 16.90 inches, the rnaxiinuni size allow etl by smface 
mount tHiuipment for efllcient \xilimie production. Restriction 
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Fig. 16* 2S6M-byte memoiy board. 

to this size was aii importajit factor ill almost every design 
decision made for the board. 

Preliminary designs of rritical aieas of the hoard showed 
tJiat the dense!^t feaisible routing would be ipqnired. Leading- 
edge HI* [printed eirciiil prrKliKlit)n technology billows a 
minimum of O.DOr>-iju'h tines and 0.005-inch spaces. Vias can 
be either 0,008-inch fmished hole size with 0.021-inch pads, 
or 0.0124nch finished hole size with 0.025-inch paib, Iloth of 
these alternatives are cunently limited to a nuixiuiijiii as- 
pect ratio of 10:1 ( board thickness divided by flnishLxi hole 
size J. The aspect ratio als< j hitluenees the jiroduction coyt of 
the board significantly hecanse of plating yields, as well as 
the achievable drill stack height. 

With the given layout coriditioiLs, .se%eral trade-off studies 
were done 1<> find the best alternative in terms of electrical 
perfonnance, m;nmfaclunng cost for Uie Ujaded a'^sc^mbly, 
reliability, iind risk for procurement and process availability 
at both fabrieation and assembly. Tlie best aJt.eniative fmally 
uses the leading-edge layout geometries, eight full signal 
layers, and two pin^l kU signal layei^. Since (he initial projec- 
tions of I lie number of layer's retjuired to route the board led 
to an anticipated board thickness greater than 0.080 inch, 
the aspect ratio retjiiireinents catised tJie (LOOS-incb finished 
hole sixe via ojition \n he rejected Even with 0,025-inch 
pads and 0.012-iiKh fjiiished hole size vms^ ihe aspect ratio 
approaches 10, Tlu^refore, a sophisticated board material is 
required to prevent tlu^rmal cyclinj^ from stressing vias and 
generating rlisionltnis on the board by exprnision of the thick- 
ness f>r the Ijoard. ( yrniate ester jnaterial ( HT-2) was chosen 
over other subst rate alternatives because of its superior 
eleetrical and mechaiticaJ perfomiance.**^ 
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Fig, 17. Scaling of online transicLiou processing (t^LTP) performance 
with number of processors. 



Multiprocessor Performance 

Performance 

An HP 9000 Model T500 corporate business server, a six- 
processor, 90-MHz PA-RISC 7100 CPU wltti a 60-MHz bus, 
achieved 2110.5 transactions per minute (ir.S.$2Ji5 per 
tpmC) on the TPC-C benchnuu'k/^' hi the f<illo\^Tng discus- 
sions, the available niuJtiproeessor perfomiance data is a 
mixture of data from l>oth tlie Model T500 and tlie older 
Model 890 systems. 

Data for the HP 9000 Model S90 (the precursor of the Model 
T500, which uses one to four fSO-MHz PA-RIS(" processors 
and the .same nn^nioiy, bus, and I/i.) subsystems cis the Model 
TBOO) is available for the TPC-A benchmark and one to four 
piTjcessors. Fig. 17 shows liow nmltiproceasing performance 
scales on a benchmaik indicative of OLTP performance.** 

The SPECrate performance for the Model T500 is shown in 
Fig. 18.^ The SPEC restilts sliow hnear scaling wWh the num- 
ber of ]irocessors, w^hich is expected for Cpr-intensive work- 
loatis with no mutual data dependencies. The OLTP bench- 
maiks are more typical for real commercial applications. 
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Fig, 18. Model T50(l SPECratn p< rfortTiLinee. 
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Fig* 19» Model SliO piugifUii developrueJil. perfoniiance. 

The losses in efficiency are caused by factors such as seriaJ' 
iisation in the I/O subsystem aiid conlenlion for operating 
system resources. 

Fig. 19 shows the perfomianrG of Lht? Model 890 on an 
HP-internal benchmaik representative of 24 interactive 
users executing tasks typical of a program development 
environment. 

The t>enchmark results confirm the value of key design 
decisions. For example, nearly all transactions vt^ere use- 
ful — only 6% of all transactions were busied and only 1.5% of 
aU bus quads were waited. Disabling the interleaving or dis- 
abling the duplicate cache tags did not affect bus utilization. 

The efTiciency of (he bus was reflected in system through- 
put. Normal operation showed near-linear multiprocessor 
scaling tli rough four processors. Changing the interleaving 
algorithm from the normal c^ise of four blocks interleaved 
four w^ays to four blocks not interleaved caused a significant 
perfonnance impact. As ex|jected, the penalty wtis greater 
at higher degrees of multiprocess I rig, peaking at a penally of 
15% in a four-processor system. Disabling the chiplicate cache 
tiigs mcurred an even greater cost: t he decrea'^e in system 
perforniajice was as much as 22%, with the four-processor 
system again being the worst case. 

These tests showed that ihe hi|jh-speed pipelined processor 
nveitioiy bus, fast CPUs with large caches, fluplicate cache 
tags in the processor interfaces, ;iJui higlily itUerleaved large 
pliysical memory allow the Model T500 system to scale 
efricieally up to twelve-way mulliprocessing. 

Service Processor 

As part of the challenge of producing the HP 9000 Model 
T500 coipoi'ate business sei"ver, r.aigeted at demanding busi- 
ness applications, it was decided to try^ to make a signiticant 
improvement in system hardware availabihty Hardwaie 
availability htis two component's: mean time betT\'een faH- 
uies (MTBF), which measures how <iflen tJie computer 
hartiware falls, iuid meim time to repair (MTTR), which mea- 
siyes how long it lakes to repair a hardware faihu-e once 
one has occurred The senice processor makes a significant 



improvement in the MTTRprjrtion f>f l he avajlability equa- 
tion by reducing the time required to repmr tiie system when 
haixlware failures do occur 

HP% computer systems are typically supported from our 
response centers, where IIP lias concentrated some of the 
most knowledgeable and experienced supp(jrt staff. Tliese 
support engineers generyliy [jrovi^le the llrst response to a 
customer problem. They make the initial problem diagnosis 
and detemiinc which of DP s resources will be applied to 
fixing the customers system. The greatest opportunity to 
improve the system s MTfR existed in inijiroving the ability 
of the support engineers at t lie respoase centers to access 
failure information and control the system liardware. The 
following si>e(ific g<jals were set: 

• AH of the troubleshooting information that is available 
locally (at the failed system) slioukl be av^iilahle remotely 
(at the response center). 

• Information should be collected about hardware failures 
that prevent the nonnal operating system code from staiting 
or Ruming. 

• Infomiation about power and en\iroimTental imonialies 
should be collected. 

*■ Information about operating s^ystein st^ite changes should 
be collected. 

• Error uiforrnation shoultl be available to error aiudysis soft- 
waie nmning luider the operating system if the operatmg 
system is able to recover after^ an anomaly occurs. 

• A means should exist lu allow suj>|)art persomiel to deter- 
mine Ihe system hardwaie t configuration and alter it widiout 
being present at the site to allow problems to be worked 
aroimd and to aid in problem detennination. 

• The suj>port iiardware should be as independent of the re- 
mainder of the comj >uter system as possible, so that failures 
in the main hardware wiD not cause support access to 
become unavailable, 

• Error reporting paths should he designed to maximize the 
prohabihty that failure symptoms will be observable even in 
the presence of hardware lailures. 

• Failure m the support hardware sltould not cause failure of 
the main computer system. 

• Failure of the support hardware should not go unnoticed 
imtil a failure of (lie main system occurs. 

' Tlie haidwaie sutipoil functions should be easily upgradable 
without requiring a visit by support persoimel mid without 
replacing haiciware. 

Hardware I mple mentation 

The above goals are achieved by proviciing a single-boarfl 
service processtir for the Mofiel TBOO system. Tlie service 
pr<jcessor is a micioin ocessor-rontrolled board that is 
located m the main raidcage. This board has control and 
oljsen'ation ronnec lions into all of the hardware m the main 
raid cage. Tlus boartj also contauis the powder system control 
and monitor wliich controls tlie power system. Tlie senice 
processor has a conmiand-oriented user interface which is 
accessible tluough the same console mechmusm as the op- 
erating system console coimections on pre\ious sysiejus 
(through the system^ access pott). The k^gical location of 
the service processor is sliown in Fig. 20. 
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Fl(f. ZO* Scrvit E^ processor biotk dia^iin. 

The ^rvice procrasor and power system coriln)! and monitor 
are powereti l>y sprHiMl hi as power whith is a^ailuhle wli(*n- 
ever ac power is applied u> the system (ahinet. The service 
processor is thus independent of the main system power 
supplies, anrl can be accessed i aider ahnost all system fault 
c^oiiditkjns. 

The service pr<K-t»ssor has a communications channel to the 
power system control and mtmitnr vi]ur!i allows it to prf^ 
vide llie operating code for tlie power system control and 
monitor microprocessor, and then to issue conimands to the 
power system control and mi>uitc*r and nu;»nitor Its progrt^ss. 
Ttie power system corUrol and monitor controls the power 
system under service processor supervision and notifies the 
senice processor of power and en \ir(jn mental prol:)lenis. 
The service prt>cessor provides a user interface to the 
power system which is uschI l>y support personnel when 
trout>leshooting power and envijonmental prot>lems. 

Tlie service processsor is connected to each card on the pro- 
cessor uu^u a jr-y hvis by both the system c^locks and the scan 
bus* Through the system clocks, the service processor iiro- 
vides ciocku\g for the entire Mo<iel T5t)() system- Tlie nam 
bus allows tlte service processcjr to set and read the state of 



the cards without using the main s-ystem bus. This mecha- 
nism is used to dcncnnine and alter system confij^nration 
aiul for facloi:y testing. 

The service processor is connected to the processors in the 
system by the service processor bus. The service processor 
bus allows the processors to access instructions and data 
str>red on the si^rvice prtjcessor. The iiLstiiu tic ins include 
processfir self-test code and j>roressor dei)endent corle, 
which performs architected system functions. Tlie data 
stored on the service processor includes configuralion infor- 
mation antJ logs of system activity and problems. The senice 
processor bus also allows the processors to access common 
system hardware that is part of the senice processor, such 
as systeni stable storage which is required by the PA-RISC 
architecture, and provides at:cess to the console terminals 
through the close c-onso!e port. Because senice processor 
bus access is independent of the c^taiditif^n of the processor 
memoi-y bus, the prot*essors f^an access error handling code^ 
make error logs, and conunmiicate v\itli the rxmsole tcrminjds 
even if the processor memory bus has totiilly failed. 

The service processor drives the system statits displays on 
I lie control panel These inchtde the large status lights, the 
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number of proc^essors display, and tlie activiiy display. The 
sendee processor also minors diis uifomiation onto the 
console terminals on Uie status line. 

The connections between the service processor and the 
console/LAN c^u^d provide several functions. The service 
processor's user interface is made available on the local and 
remote console temiinaJs by the access port Ann ware which 
is part of the console/LAN card. The user interface data is 
carried through tlie service processor poi1 connection. Be- 
cause the interna] IIF-PB cardcage wliich hoiLses rJie console/ 
LAN cai'd is powered by the same source of ac power as the 
service processor^ the access port and its path to the console 
terminals are fiindiontil whenever the service processor is 
powered. The .system proce8S<)rs ac{ ess the console termi- 
nals Ihrougli the close console port connect ioji to the access 
port fimiwaie during the early stages of the boot process 
and ciuring machine check processing when the I/O subsys- 
tem is not necessarily ftmctionaL Tlie service processor also 
sends control itifornvaiion and connnunicales its status to 
tlie console/IjAN ciird through the service processor port. 
Console lennijuil Jiccess to the system m\(.\ service processor 
functions is controlled by the access port finnware on the 
consDle/lJ\N card. 

A connection exists between the service processor and a 
test controller used for system testing in the factory. ThLs 
connection allows the system internal state to be controlled 
and observed during testing. 

Because tbe service processor and p<;)wer system control 
and monitor do not operate from the same power supplies 
as the processor menior>' bus, tlie service processor's con- 
trol features and en or logs are available even wlien the re- 
mainder of the system is inoperable. Because logging, ertf^r 
handling, and console communications patiis exist thai are 
independent of the systen^ buses, tbese functions can ojierate 
even when system buses are miusable. Tlie service processor 
is architected st.^ lliat its failure does not cause the operating 
system or power system to fail, so that failure of the service 
processor does not cause tbe system to stop. Tbe access 
poit is hideiiendern of tlie servict^ [jrocessor and delects 
service processor failure. It notifies the user of service pro- 
cessor failure on tlw console terminals^ provltling time for 
the service processor to be repaired before it is needed for 
system-critical functions. 

Features 

The hai'dware iniplemenlation desciilred above is extremely 
flexilile because of its large connectivity into a!l of the main 
systeni arecis. As a result, the service processor's features 
can be tailored and changed to ensure tiiat the ciistomer's 
service needs are atieciuately met. The service processor m 
its cmTent implementation includes the service features 
described in the foliowmg paragraphs. 

Configuration Control. The service processor keeps a record 
of the processor memor\' bus configuration jncluding slot 
nimiber. boaid t>pe, revision, and serial number. The service 
processor reconciles and updates this infonnation each time 
the system is booted by scaiming the processor memory- l>us 
and identifying the modules it finds. Viirions enor condi- 
tions cause defective processor memoiy hus modules to be 
automatically removed from the configuration. Tlie user Is 
aleited to such changes and boot can be optionally paused 



on configuration changes. The sei^ice processor's user in- 
terface Cf mtains cfinimands to display and alter the conllgu- 
ratior\, iiu hiding ren loving modules from the configuration 
or adding them back into Uie configuration. Modules that 
are removed no longer electrically affect the system, making 
configuration an effective means of remotely troubleshoot- 
ing tuobietns on the processor memory bus. 

Logs. The service processor has a large log area that con- 
tains logs of all service-processor-visihle events of sui)pot1 
significance. Each log contains tht* times of event occur- 
rences. Logs diat warn of critical problems cause control 
panel and console tenninal indications mitil they have been 
read by the system operator, Ttie service processor user 
interface ton tains commands to lead and mtmage the ser- 
vice processor logs, hil'orRuiliim in the service processor 
logs can be accessed by diagnostic softwiue running under 
the cjperating system- Tlie service processor logs include: 

• Power systeUT anomalies 
•= Enviroimiental anomalies 

^ Ac power failure information 

^ Automatic processor memory bus module deconfigumtions 
that occm because of fiiilurc*s 

• Operating system m^jor state changes f such as l>oot, tcisting, 
mitialization, nmuing, warning, shutdown) 

' lligh-piiority machine check infonnation 

• Problems that occur during system startup before the 
processors begin execution 

• Processor self-test failure infonnation. 

Operating System Watchdog. The service processor can be 
contiguied to observe operating system activity and to make 
log entries and control panel ^md console indicafions in the 
event of apparent operating system failure. 

Electronic Firmware Updates. The service processor and 
t)iO( essor dependent ccjde work together to update system 
firmware without the need for haidware replacement. The 
service processor contains the system processor dependent 
code (boot and eiTor &rmw£ire), the finnware for the power 
system control and monitor to control the power system, 
and its ovv^l firmwiue. Two copies of each exist iiT elect ri- 
cally er^isable storage so I hat one copy can be uiKlated while 
die other copy is unchanged. 'Hie service processor can 
switch between the two copies in case a problem occurs in 
one copy. 

Remote Access. Tlie user g^iins access to the service processor 
user interface through iUv access poi1. Tlie access port is 
the single point of connection for diesysieui console termi- 
nals, both loctii and remote. As a result » all troubleshooting 
information that is available on local console temiinais is 
a vai ! al:* I e re ni o t el y . 

Factory Test Support. The service processor serves as a scan 
controUci; providing full access to the inten^al state of tlie 
custom VLSI chips coutainecl on processor memoi>' bus 
cards. This access is provided through the programmable 
clock system and the scan bus. Using tbe scan controlier 
features of the sen- ice processor, a factory test controller 
c an test die logic in the processor memon^^ bus portion of 
the system under automatic control 

System Status Control Bet^aiise tlie service processor contrdlte 
the system status indicators, it is able to display an acCLilttfe 
siimmai>* of the complete hardware and sofit ware state of 
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Fig, 21. p{jwi^r syjitem block diagram^ 

the system, Tl\e service processor can do this even vi^hen the 
system processors or main power system arc unable to 
operate. 

Power System 

The power s>'stem i>ro\ides regiilateci low- voltage dc lo all 
logic assemblies in the prot^esKor nicmoo' hun carclcagc, and 
to the airay of fiuis locatt^d just below the canlcage tLSsenibly, 
The power system is designed lf> grow anti rvliably suppr>rf 
the need for ever ncreasing ijrot t^ssor, memory, and I/O per- 
formance. It has f he capacity to deliver almost 4,000 watts 
of dc load pow^ei ontinuoasiy The lj|o<"k fliagnirn of the 
power system is bown in Fig. 21. Tlie modiilar design con- 
sists of an a(' front-end asstj'mbly, several low -voltage dc- 
to-dc converters, and a power system control and monitor 
built within Ihe service processor 



The ac front end. shown in Fig. 22, contains one to three 
fjower-factor-correcting upcom^erter modules, each pro\1dlJig 
regulated 300Vdc, and has an output c^jacity of 2.2 kilowans. 
ITie iipconverier modules nm on single-phase or dual-phase. 
2(^Vac inpm. Tliey have (output ORing diodes, implement 
ouiput current sharing, and are capal>le of prodding true 
N+1 redundancy for higher sj^stem edacity and availability. 
(N+ 1 redundancy means that a system is configured with 
one more module than is necessary for normal operation. If 
there is a subsequent single module failure tJie extra module 
will take over the failed module's operation.) 

The acti^^ power-factor-correcting design allow s the product 
to draw near unity powder factor, eliminating the harmonic 
currents typically generated by the switctiing power supplies 
in a computer system. The design also has a verj^ wide ac 
input operating range, is relatively insensitive to line voltage 
transients and variations, and allows a common design to be 
used worldwide. It also provides a well-re giiiated 300 Vdc 
output to the low-voltage dc-to-rlc converters. 

The low-voltage dc-to-dc converters are fed irom a sin^e 
300V rail and deliver regulated dc voltage throngboin the 
main processor cardcage. The single-output converters, of 
w^hich there aie tw^o types, have capacities of 325 and 650 
w^atts and a powder density of about 3 w^atts per cubic inch. 
Tliey have current sharing capability for increased output 
capacity, and are designed to recover quickly in the event of 
a module failiu-e in a redundant configuration. The convert- 
ers have output on/off control aiul a iow-power mode to 
min)jnis:e power drain on the 300V rail w^hen shut down. 
Tlieir oininit \'oliage cmy be adj Listed by die i)ower system 
contral and monitor. 

The power system control and monitor provides control for 
power sequencing, fan speed c^ontrot, and temperaline mea- 
sLU'cment. It enstues that the modular converters and the 
system load arc consistent wiih eatii other Tlie c^ont roller' 
also nuirutors slalus ,'ind system vnliages. Tliis information 
is conimuniraU'tl to itu^ ser\ice pr<i( essor and saved in a log 
to aid in tlic support and malntemuice of tlie systcnu 

Together, the power system control mu\ monitor, [jower- 
factor<*orrecyng ufx^onverters, and low-voltage dc4o-dc 
converters form a scalable, high-capaciTy. higlily available, 
modutar power system. The system is easily updated and 
can be upgraded to support higher-peifoMiiaint^ processor, 
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memory, and I/O technologies as they are developed for the 
Model T50Q platform. 

Product Design 

The Model T500 package is a single-bay cabinet. Overall* it is 
750 nmi wide by 905 nmi deep by 1620 mm talL A fully loaded 
cabinet can weigh as much as 360 kg (800 lb), A skeletal 
frame provides the cabinet's structure, snpportlnjl the card 
cages, fan tray, and ac fi'ont end rack. Exiemal enclosures 
with vents and a control panel attach to the fraine. 

The processor memory bus boards and the low-voltage dc- 
todc converters reside in card cages in the upper half of the 
Model T50D cabinet. They ping into both sitles of a vertically 
oriented, centered backplane to meet bus length restric- 
tions. A bus bar assembly attaches to the upper half of the 
backplane to distribute power front the larger (550- watt com 
ve Iters Id the extended-power slots that the processor 
boards use- 

There are 16 processor memory bus slots in the Model T500: 
six in the front cardcage and ten in the rear cardcage. Eight 
of the 16 slot^ axe extended-power slots, which have a board- 
to-bomd pitch of 2.4 inches, twice the b2-incb pitch f^fthe 
other eight stajidai'd slots. Tliese wider slols allow irtcreaserl 
cooling capability for the processor boaid heat sinks. The 
standard slots are used for bus converters. Memory boards 
can go in either standard slots or extended-power slots. 

Looking a1 the front view of the cabinet in Fig. 23, six 
extended-power processor luemory bus sl<ils are to the left 
of the Jow-voltage dc4o-dc converter cardcages in which 
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(S Slots} 




AC Front End 



Fig. 24. Ri-^yr view rjf Mofiet T500 fahinr-t. 

four 65D-walt conveners reside above two 32l>watl convert - 
ens and the inLscellaneous power module. When viewing the 
rear of the cabinet in Fig. 24, teii processor niemor>' bus 
slot St two or which are extended-power, leside to the right 
oft he converter cardcages in which four 650-waU conven- 
ers are above three 325~watl con%'erietB. The senice proces- 
sor is located in a dedicated slot between tlie reai" processor 
memory bus and the converter cardcages. 

The fan tray is located beneath the card cages. Air enters 
through 1 he inp vents of the cahhiet and is pulled through 
air fiitet-s ajid then through the processor memory bus arui 
dc-to-dc convener cardcages to the fan tray. Half of the air 
is exliausted through the lower cahoiet vents while the other 
half is directed to cool the HP-PB cardcage boards located 
in tliG ac front end rack. Tlic fan tray is mounted on ch^issis 
slides to allow- quick access to the fans. 

The ac froni eiKl rack is mounted on ilie Intse or the Model 
T500 cabinet. This rack holds np to three power-factor- 
correcting povver supply modules. m\ internal HP-PB card- 
cage, and the ac input uirit. The HP-PB powder supply has its 
own integral cooling fan. The ac front end power-fact or- 
correcting modules have their owir fans and air filters and 
take in cool air from the rem' lower portion of the t^alnnet 
and exliaust air out at the fiont lower portion of the cabinet. 

The rear of the internal HP-PB cardcage has an fTP-PB bus 
converter and seven double-high or 14 single-high liP-PB 
slots as well as the battery for battery backiuJ^ The front of 
the HP-PB cardcage has a power supply and the pow er sys- 
tem control and monitor module. HP-PB l.iac ktilane insertion 
is from the top of the cardCtige by way of a siieet-metal 



Pig. 23. Front view of Model T5(K1 cabiaeL 
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AddJttona] rackmount HP-PB expansion modules and s>-stem 
penpheral.s are housed in peiipheraJ raL-ks, Both HP-PB card 
cages (internal and racknioimt j leverage the same power 
supply and backplane assemblies, but have different overall 
package designs. The rarkmouni \ersion has a cooling fan 
tliat directs air in a front-to-back cUrection. The HP-PB 
boards mount in a horizontal orientation and ihe cables exit 
towards file rear of the peripheral rack. Tl^e rackmount unit 
is 305 nun high (7 ElA standard increments) by 425 min 
wide by 470 mm (ieep. The peripheral racks are 600 mm 
wide by J)05 mm deep by 1020 mm tall and have mountings 
to hold pnxlticis conforming to the EL\ 19-inch standard. 

The Model T500 tndiistrial design ream drove the system 
packaging design to come up ^^ith a unified appearance for 
HP's higli-erid and midrange multiiLser systems. The result Ls 
an iiidustrial design standard for a peripheral rack system 
rliai fits well with the Model T500 design. This cooperative 
effort ensured consistency in appearance and functionality. 

E 1 e etro magn etic C ompatibili ty 

EMC shiekling takes place at the printed cirruM board level, 
the power supply level, and the card cage level and does not 
rely on external enclosures for containmeni. This keeps 
noise contained close to the source. A hexagonally perfo- 
rated metal screen is used abo%'e and below the processor 
menu)r>^ bus cardcage to minimize resistance to airflow 
while iinniding the rtxiuired EMI protection. Nickel plating 
is used on the steel cardcage pieces to ensure low electrical 
resistance betn^Teti mating metal parts. Tlie backjjiane has 
plated pads in the iireas that contaci the cardcage pieces. 
Conductive g;iskets lxtp used to ensure good contact be- 
t^ween 1 he hack];)laiie, tfie cardcages, arid the co\'er plates. 
ESD (electro.slatic dischiirge) grounding wrist straps are 
provided in botii the front ajui rear of the cabinet, 

Surface mount ftitering is used on the backplane to control 
noise on signal lines exiting the lugh-frequency processor 
memory bus carrl cages and to prevent noise from coupling? 
iiUo the low-voltag(* d(^-to-dc conveilers. 

All pTocesssor memoiy bus tKJards have a routed detail in 
foiu' comer locations along the l>oard p^^rinu'ter ttj allow for 
grounding contact. A small ciistoiri spriiig tils into via holes 
and resides in the routed-oul space. This spring protrudes 
past \hv edge of tiie board and c^fintacts tl^e card guides in 
the cardcage. Surface moiuil resisbmce elements lie be- 
Iween the vias and the tumrd grtjurul idaites. Ttiis riieihotl of 
grounding the [irocc^ssrjr memory* bim buaixb helps reduce 
EMI emissions. 

System Printed Circuit Briardh 

The processor memoiy bus cardcage is designed to accept 
KiiJ-iiich-high-by-l 1-iiich-deep hoards. This large size was 
requircHl for the 2r>(>M-byte memory board. Since the proces- 
sorand [irocesstjr juf^nory^ bus txjnvcrier ilifl not rt^cjuire 
large boards, it was import an! lo have a cardcage and cover 
plate desigji that allows bo£UtIs of various deptlis to be 
plugged into tlie same cardcage, thereby optimizing board 
panel use. 

Tile processor phigs into this deep cardcage by means of a 
sheet -metal exletuler. The bus ccuiverler was more diftlcull 
to accommodate since this shrillow boani retjuires t nblcs to 










Transitiaii Piflt« 



Fig, 25, Bus coiivortpr shet?! -metal design, slinvvinjtf iraiisitinii plate. 

attach to its front plane. Therefore, a transition plate was 
(ieveloped to transition ilrom the shallower boaitl Imlkheads 
Ui the full-depth cardcage clover plates as shown Ln Fig. 25. 
This transit ion plate Uk ks into Ihe atljacent tuilklu^id to 
maintain the EMI enclosiue. However, either the transition 
plate or the adjacent ijulkhead to which it latches can be 
removed without disturbing tlie other 

The Model T500 imc^kjilane is 25.3 inches wide by 2L7 
in dies higli by 0.1 10 inch tltick and has 14 layers. This hack- 
pkme has many passive components on botlt sides, includ- 
ing press-fit and solder-tail connectt>rs, surface mount resis- 
tors ant I capacitors, processor bus baest and fi liters. The 
backi>lane connectors are designed to billow at least 200 
insertions and withdrawals. 
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A rontrolled-impedance connector is imed on the processor 
inenioiy Ijus boarcis lo male to the backijiane. Tlie codevel- 
opnient that took plaee with the connector Hupplier was a 
ni^fjr unflertaking to ensure that the connector wouki work 
in our Biirfac e nioimt processes rcpeatably and meet om- 
relialiilifcy and serviceability requirements. 

Cooling 

The Model T500 cooling system is deslgne<l lo deUver high 
system iivtiihibility. Tliis Ls achieved by incorf^orating rtnlun- 
dant fans, fan-sj^ecd tachometers, air tentperatmi'e sensors 
on tlie hoi ley! parts of the boards, and nniltiple-speed fans. 
The Model T500 ineeis I he IIP enwonmental Class C2 speci- 
fication ff*r altitudes up to 10,000 feet with an extension in 
temperatiure range up U > 4Cr'C, 

Computational fluid dynamics software and themial analysis 
spreadslieeUs were used to evaluate various component.s, 
heal sinks, and board placemenls. These tools helped the 
team make quick design decisi(jns fhiriiig the prototyi>e 
stages. AH high-powered components that w^ere caJculat.ed 
to operate close to their maxhnum tdlowable junctifin tem- 
perature ill the worst-case environment were packaged with 
thermal lest dies to record cbip junction temperatures accu- 
rately. Srtuill wind tunnels were used to dotenaine package 
and heat sink thermal performaju e (ov various aiiilows. 
Larger wh^d ! inuieLs were used to evaluate board aiiilow to 
give the board designeni feedback on component placement 
by monitoring i>reheal conditions and flow obstructions. On 
printed circuit boards, external plane i lierinal dissipation 
pads w^ere used w lie re possible in heu of addir^g heat sinks 
to some surface mount pmis, 

A full-scale system mockup was built- Various board models, 
air filters, EMI screens, and vents were tried lo gather system 
airflow^ resistance data to determine the si^e and Jiumber of 
fans required. Various cooling schemes were evahiated by 
altering airflow direction and fan location, r^ulliug air dov^rn 
through the cabinet was UniiKl to provide imiform airflow 
across the cardcages while keeping the air filters cleaji l)y 
their fiigh location. Having the fans low in the product and 
away from the vents kept noise sources farttier away from 
operators and uuide servicing the fans easier. 

The eleven dc fans in the fan tray have tlie ability to nm at 
diree different speeds: high, normal j or low. Seven fans nm 
at low speed during startuji and hatter>' backup to keep the 
power use at a minuiium while su|»]>iying sufficient cooling. 
All eleven fans mn at nonnal speed while the system is up 
and nmning wit li the inlet air at or below 30'' C. In this case 
the system meets the acoustic noise limit of 7.5 bels (A- 
weighted ) sound power. The fans run at high speed while 
I fie system is up mul nmning widi the irdet air aijfvve 30"C or 
^'hen the temperature rise t hrough the processor memorj^ 
bus cardeage exceeds 15^C. 

At high speed, the fan uay has a volimi iric mrflow of ap- 
proximately 1200 ft'Vmin, which is desi,,ned to handle over 
six kilowatts of heat dissipation. Tlris amomit of power wa-s 
considered early m the project wlieu tiiteniate chi[} lechnob 
ogles were being investigated. Tlierefore, the Model T500 
has a cot) ling capacit^^ of approximately one w^att per square 
centimeter of floor space, a threefokl increase over the high- 
end platfonn that the Model T500 is repiacmg, yet it is still 



air-conted. The minimum air velocity is two rnefers pcTsec- 
onrl ill all of the processor memory bus slots and tlie typical 
air velocity is 3 m/s. 

Because the processor memory bus cardcage contaiits high 
pressure drops aiTd jiirfiows, the board loadltig sequence is 
important, especially for the processor hoarrls. Since the 
heat sinks are on die lighl side of the vertical processor 
boards, they aie loaded sequentially frrnn right to left. Tliis 
ensures that air is channeled through tJie processor heat 
sinks instead of bypassing them m large unfilled portions of 
the caidcage. 

M anuf ac t iiring 

Tlie fundamental strategy for manufacturing the HP 9000 
Model T500 corporate business ser\'er was concurrent engi- 
neering, that is, development of both the compulermid tlie 
technologies and processes to manufacture il at ttie stmie 
lime. This resulted in a set of extensions lo existing high- 
volume, cost-optimized producdon lines that allow sophisti- 
cal ed. performance enliaiicmg features to be added to ttie 
CO n i i > Vci t p In isiness serv^er. 

Cyanate Ester Board Material 

Printed circuit hoards based on cyanate ester chemistry 
(referred to as HT-2) have much better thennal, mechanical, 
and electrical performance than typical FIM substrates. 
These properties make WT-2 ideally suited for large printed 
cir'cuit assenibhes with intensive use of com prm cuts with 
finely spaced leads, high-reliability applicatitHiSt high- 
frt'(iiieiicy applications, and applications with tight electrical 
tolerances. 

More advanced printed circuit board designs tend to increase 
the tispect ratio of the boai'd, or the ratio of the thickness of 
I he l>o;trd to the width of the vlas IVjr layer-to- layer connec- 
tions. Hiis is hazardous for FR-4 substrates fjec'ause higher- 
aspect-ratio \iiis tend to be damaged in the thermal cycles of 
printed circuit assembly processes because of tiie expansion 
of the thickness of the boards ui these cycles. Tlie reliability 
of \1as and thrmigh4vole connections (where the processor 
memoi^' bus connector or VLSI pin-grirl arruys are soldered 
to the board) is essential to the overall reliHiiihty, manufac- 
I urabUityj and repairability of the Mx>del T5fXJ memory' lioaid. 

Because of their high glass transition temperature, HT-3 sub- 
strates are ideally suited to survive the stressful assembly 
and repair processes and to increase the yields widiin these 
processes. The glass transition temperature is the tempera- 
tme at which the lamina! eii fiberglass printed circuit boiird 
transitions from a solid to a pliable materi^d. This is exceedeii 
for FR^l in the printed circuit assent bly process, resulting in 
distorlions of the boaid.s. If no frne-pitch or exira-fine-phch 
parts are used, the fiistortion for FR-4 is acceptable in the 
surface mount process. For large boards that use fine-pitch 
components, the surface mount processes tolerate less dis- 
tortion. HT'2 has the advantage that it remains stable be- 
cause it doesn't reach its glass transition temperature in the 
manufacturing prot*ess. 
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Printed Circuit Assembly and Test 

Model T500 system rcHimrenients, tt\rough their impact on 
the menioi> board design, required development of signifj- 
cant new printed circuit assembly proc*ess capability'. This 
proc-'ess development effort began two years before volume 
shipments and identified the tmportanl areas for engineeiing 
efifort. New technology iJitrodiiced in printefl circuit assem- 
bly included ad\'aneed reflovv techniques. This is miportaiit 
because the total thenmaJ mass of the components reflowe<i 
on the memory^ board b large, and because of ihe nature of 
the connector used for the processor memory bus. Special 
solder paste application methods were developed for the 
processor memory bus comiector This provides the assem- 
bly process with wide latitude for the connectors, phi-grid 
array Sj standard surface mount parts, and fine-pitch parts. 

A key benefit of the cyanate ester choice for double-sided 
assenibhes is reduced runout of the board, resulting in im- 
proved registration of the solder-paste stencil iind compo- 
nents for higher yields of solder joints. In the double-sided 
surface mount process , the B side components are placed 
aJid refiowed before placement of the A side components. 
Since retlow for the B side is conducted at a temperature far 
al>ove the glass transition temperature for stand aj-d FR-4 
material, the boards would ha\'e been distorted in this step if 
FR4 had been used. Tlius FR-4 boards would have a higher 
failure rate on solder connections for the A side components. 

Printed circuit bo^ird test was another area identified by the 
eiirly concniTejil erigineeriiYg effort,. Model T500 printed cir- 
cuit assemblies ate tested using a strategy' extended from 
tlie HP 3070 board lest system. Much of tiie test is conducted 
using leading-edge scan techniques. For example, because 
of trace length and capacitance, it was impossible to add 
test points between the processor mcmoiy bus drivers of 
the bus transceivers rUid the arbitration and address buffer 
and the resistor pack that connects to die bu*3 without im- 
pacting perfonnarif e. A scheme was demised using the scan 
poti tc> activate eacli chips drivers. Tlie IIP 3070 is set Hi 
■A[i\i]y 'A known currein to eaih n*sistor and nieasur*^ the 
voltage drop, from which the resistors value and coniie<:tiv- 
ity can be determined. There is no loss of lest coverage for 
these fme-pitch ymits and the scheme has the added benefit 
of verifying much of the chips fimctiomility. Be<'inisc of the 
chip design ieati lime, HP'snwn scan poil urchitcctun^ (de- 
signed several years in advjmce of tiie IEEE 1 i 19 stiuidard 
for this t>pe of test a|.>proacli) is used and costoni software 
tools were developed Cuiyenl cliitJ designs conliiin the IEEE 
1 149 scan poil whicli is directly supported by the HP 3070. 

A m^ijor mtmuhiriurijig challenge was the total nuint>er u\ 
nets iiiid the board laytnit ck^nsify found ii^ the inernoty bomd 
Willi 4273 nets, if nonnal HP 3070 design mles, wltich require 
one tesi point per net, were folio we<1 as much as 20*^* of the 
surface oi' the board would have been dedir^ated to test 
points, Tb solve this problem a scan -leased aj([)roach is used 
Oil tile nets where \'LB1 t)arts ha\'e sctU; pc^rts. By using the 
yrm ports and exercising some of the MSI jjarl futic^tionality, 
the number of nets that need test points is reduced to 2026. 

II lis apt>roaciv freed board space and allowed the needed 
deasity lo be acliievetL If lliis density hati not been at hjeved. 
tile alternative would have been to tower the capacity of 



Package Design Using 3D Solid Modeling 

The mdustnal dest^ and prockici design groups designed the HP 3Q0Q Model TSGO 
corporate business sefwr package using the HP ME 30 sotid mocfelinp systsn In 
ttie past, designs were drawn as 2D onhtigraphjc lavouB These teyoms were 
then dfrnensioned aT>d p^per coiJies wife gn/Bn m the vendor for fabrication Now, 
3D bodies are sent directly to vendcH^ vfa modem wittiout living to djnneisiQn 
them A 2D drawing is also sent to the vendor to provide a view of the part, usu- 
aiiy isometric, and to call oirt notes and necessary seeorvdary opefamms (plants 
iQferanc^. cosmeiic fequiren^iiis. press-m fasfgner installations, etc.). 

Usir^ 30 solid modeling allovyed Ihe pifoduct destgn group to reduce design tirne. 
reduce part dDcumentaiiQn tirne, and reduce design errors caused by using 20 
layouts (with orthographic views, alt three ZD views must be updated for a design 
change Jnsiead of a single 3D body) Additional benefits are faster tyrnarDund on 
proiotypes and an (mproved proi:e£s for creating assembly documentation (iSDmeD"ic 
views of assembly positions are easily created by manipulatirig 3D bodies). 

Eight engineers created approximately 150 stieei-metat parts, ten plastic parts, 25 

cables. 15 miscellaneous parts, and many board components. Managing such a 
large mechanical assembly was i nit tally thought to be too difficult But having an 
organized file structure and 3D body placement strategy allowed the design team 
to work together efficiently All engineers worked on their own assemblies, stored 
in separate wnte-protected directones, and were able to view adjoining assemblies 
for interface design, 



each menioo^ board, thereby lowering the overaU system 
memory capacity. 

The service processor presented two ni^or challenges lo 
make it fit both electrically and mechanically (inio ihe HP 
3070 test fixture. The total of 2312 nets on this boat'd made it 
impoitant to make all possible electrical piris of the test fix- 
ture available, which was tiirricult considering the large 
number of components. Tills problem was alleviated by 
careful layout of the scnice i>rtKH'ss<)r wilh the tesI fixtiue 
in mind. A custom fixtnre w els tlcf^igned to accommodate the 
board with its 2.5-inch bnlkhearl 

All of the boards and fixtures are designed to accommodate 
tile Iransilioji loa no-clean process, which jriUows majiufae- 
tu ring o f [> r i tn e 1 1 c i rci i i I asseni bl Les wit hout a ch loroil u (tro- 
car b on (I'FC) wash. This advanced work was driven by 
Hewlett- Packard's commitment to the total eliminatioti of 
CFXL's, which Imve been shown to destroy the ozone layer. 
Tlie elimination of CFC use at FIP was accomplished by May 
15, 1993, more thait two years aiiead of tlie Montreal I^oux-ol 
goal for an international biui on the use of these chemicals. 

Mechanical and Final Assemtdy and Test 

A key focus ol" t onciment design for nii;Quifacti[rability was 
the frame arul cajdcage design. Eaiiy effort by the tlesign 
team and nvantifactiiring w^ent into detecting arejis to improve 
the (lr:'sigii for ease of assembly, ttt miniinize the nurnher and 
variety uf fasteners, and lo reduce the nmnherof sfdckerl 
items. This resulted in a set of features tJiat LncIu<Je: 
Extensive use of captive fasteners, that is, fasteners that are 
Ijrejjlacetl in ntecliajiical subiisse[nl>lies. This reduces tlie 
niiiubiT of indivltlual mechanical parts to handle dmlng 
jLsstMiihly. 

A minimal set of uiiiqae fasteners with extensive use of 
T>i"x fasteners. 
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• One-direction fastening. A^sscmblers are not required to 
reach around or use awkwarcl movements dunng assembly. 

• A simplified assembly procedure. Only one piece to pick up 
and handle during any operalion. 

• Modularity. It is very easy to install or replace many 
components in the chassis wilhout interference. 

• Extensive use of high-deusily cr^nnectors for wiring hai- 
nesses. This reduces wiring lime and errors. Pc.nnt-(o-| joint 
wiring is minimal. 

• A robust cabinet ai\d a very strong fmme. The frame can 
survive shipping on its casters alone, and does not require a 
special pallet for most shipments. 

• A refrigerator-sized cabinet that when fully loaded (approxi- 
mately 300 kg) can still be moved easily by any operator or 
technician. 

The Model T500 is designed with many inherent testabiltly 
featiires, most of which are accessible using the system con- 
sole. The system console is one of the most finuiamental 
functions of the Mo<iel T500. It can be used in I he earliest 
stejjs in bringing up and testing a newly a'issenibiet! system. 
This pennits extensive control and monitoring caivabUity 
fir-om a single eonimimication point for matni fact tiring s auto- 
mated test control host, and elimhiates the need for many 
additional custom deiices traditionally used for testing large 
computer systems. Many of the testability features benefit 
both manufactming and customer support. The capabilities 
used for manuiaetnring 1 est inchule the following: 

• Monitor and change system parameters (such as .sercji^dary 
voltages or powder system status) from the system console. 

• Review from the console the system activity logs whieii 
track events that may indicate incorrect operation. 

• Change self-test configuration. Select only the tests desired, 
or repeat tests to aid defect analysis. 

• Access diagnostics through a LAN connection standaid on 
alJ configuratiofis of the system. 

• Diagnose potential failure sources down to a specific 
integrated circuit. 

• Use scan tools designed closely to manufacturing test 
specifications. 
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PA-RISC Symmetric Multiprocessing 
in Midrange Servers 

By making a series of simplifying assumptions and concentrating on basic 
functionality, the performance advantages of PA-RISC symmetric multi- 
processing using the HP PA 710D processor chip were made available to 
the midrange HP 9000 and HP 300D multiuser system customers. 

by Kir k M. Bresniker 



The HP 9000 G-, II , imd hclass and HP 3000 Series 98x 
sei-^ ers wen* fu'sf introduced iii the last quaner r jf 1990, 
Over Um hfetinie of these systen^s almost continual ad- 
vaiices ill performance were offered thiough increa.ses iit 
cache sizes and processor speed. However, because of de- 
sign constraints present in these low-cost systems, the imiits 
of uniprocessor jjerfonnance were being reached. 

At the same time, the HP PA 7100 processor chip was being 
developed. Its more advanced pipeline aiKi superscaJai^ Tea- 
tiu-es promised liigher uniprocessor perlormance* Advances 
in process technology and physical design also promised 
liigJier processor frequencies. 

Part of tlie defmition of the PA 7100 is a functional block 
that allows two PA 7100 processors lo shaie a uienmrj' arui 
I/O infrastructure originally designed for a single jji ocessor 
TMs functional block provides all the necessary ciicuitry for 
coherent processor commimication. No other system hard- 
ware resom"ces sie necessai-^'. This reaUuv of the FA 7100 
processor made it technic^ah.y fe^Lsihie to create a vety low*- 
cost tw^o-w^ay symmetric nniltiiirfjcessing processor boaifi 
for the HP 9000 and HP ;iOOO midrange senders. However, 
significarit design trade-offs had to i>e jnade to c^reate a 
product in the time frame necessary. 

This arlicie dt'scribes the design of tliis new processor 
l>uiucl, wliich is useil in the HP 9000 IModels G70, H70, and 
170 sei-vrMs TIm^ hi* 3000 Series 987/200 business computer 
is baseti on tlie Scinie processor board. 

Design Goals 

The tlesigu goal of the system was to provide the advantages 
of syitmietric multiprocessing in the midrange servers both 
to new customers in the fonn of a fully irttegrated serv'er and 
to existing customers in the form of a i>r-ocessor hoard up- 
gratle. The only coi^straint, was that existing nienioryj 1/0 
c ards, and sheet metal hail to be used. Everything el^e was 
open to possible change. However, a strong restoring ft)rce 
was provided by tlie need to minimize lime to market ;ind 
the vei-y real staffing constraints. There simply weren'l time 
or resources to etiable us to provide all the features associ- 
ated with symmetric inultit>rcH"essing. The decision was 
ntade lo make the per'fonnaiice advantages of syjunietJ ic 
multiprocessing the primary design goal for the midrange 
ser\'ers. 



Development History 

The I-class ser\ er was chosen as the initial developiuenl 
platfonn for the PA 7100 processor An l-class processor 
board was developed that accepts a PA 7100 module consust- 
ing of the processor package and high-speed static RAMs. In 
adthtion, i\n extender board w^as developed that allow^s two 
PA 7100 modules to be connected to die I-class processor 
boartL This foiu'-board assembly, wiiich was the first proto- 
type of tlie eventual design, booted and w-as fuUy functional 
within live months of the initial PA 7100 uniprocessor 
mm -on. Tliis shori time iieriud alloweci all the basic operat- 
j ng sy st.ei n c 1 1 an ges iu \ d pe ! i < ) rm ai ice i \ leas u re men ts to be 
made at the sait>e time as the uniprocessor work was being 
done, hy the .same design team, wit ii only a small jncrementid 
effoit. 

At this point, the efforts of the design team were centered 
on introducing the PA 7100 uniprocessor serve^rs. However, 
strice tile initiiil iierruimant e measiireiuents of the synunetric 
multiprocessing prototype were so encouraging, the team 
cont inued to refine and develop the initial prototype into a 
1 1 lan utactur ai:>le produci . 

The first decision of the design team was to implement the 
design using IM-byte uistniction and data caches, a fourfold 
increase over die initial PA 7100 designs. Tliis decision was 
driven by the initial performance measurements made on 
prototypes, which showed that the larger caches optimized 
the utihzation of the shared processor memory bus. Tlie 
same^ nieLisurements also showed that thc^ most desirable 
performance levels would require tlie design to matc:h the 
previous processor frequency of 96 MHz. Tlus w^oidd be the 
first of the large-cache, high-speed designs for the PA 7100 
processor, and would therefore carry considerable design 
risk. 

The next decisiou was 1<j imj)lement the design nut willi 
niothiles, but ;is a single bcjard. Tlus w^as done to lower the 
cost and teclinok>g.y risk of the design. Tlie shared proces- 
sor mt^uoiy bus wtnild be twice as long as in previous de- 
signs, hui it would not have to bear the additional signal 
integrity burden of two module connector loads. This was 
the first of the simplifying assuniiJtions. but it let! to several 
key oi iiers. 
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Fig. 1. f )n rlK^ left, is The tmmorlt- 
fied aiiilow pattern stiowlni? the 
second processor m the tiiermal 
simdow of the firsl. On fJie riglu 
is the re vised airflow pattern 
showing the inipuigeinenl cooiiiig 
provided by tJie baffle fan. 



A great deal of the complexity' in symmetric muItiprocesRing 
systems arises not jiist from the problems of maiiitainhig the 
processors durmg normal operation, but from handling spe- 
cial operating conditions hke failiires or booting. Smce in this 
case botii processors arc always installed, one processor is 
desigtiatec! as the ''monarch ' and is allocated special respon- 
sibilities. The second t>rocessor is designated as the "serf," 
and is not aUocated any special resi>onsibilil.ies, 'Hiis obvi- 
ates the need lor a complex inelhod of detenu iniiig which 
processor should maintain coiit rol fiuritig excepUoiml c irCLirn- 
stances. Also, since both processors are on the same botud 
and cannot be replaced inciependetttly. it was decided li\al if 
one processor should fail, tlie other would not contintie fo 
operate. This removes an entiie class of complex i titer ac- 
tions that w^onld have had to be discovered, handled, and 
tested, considerably shortening the firmware development 
life cycle. 

One negative imphcation of the smgle-board so hit ion was diat 
one processor wns m the direct auHow path of the otlier (see 
Fig. IJ, Tliis meant that a new solution for cooling had to be 
dei^ised, but ut such a way that the upgrade to tlie new design 
would not impact the existhig sheet metal. A passive solu- 
tion of diverting the airflow using air baffles did not prove to 
be effective enougli, so the rtiechanical design team devised 
an active solution, A forced-air baffle was devised that is 
essentially a box occupymg the jiiirfLow vohune next to the 
processor board. It has three openings centered above the 
processors and the worsi-ctise cache components. The box 
is pressurized by a miniature f£m. Tins causes air to impinge 
directly on the critical components witliuut disturbing the 
airflow to die rest of the processor hoard. Since the primary 
airflow is now normal to the processor board, a new heat 
sink consisthig of a grid of puts was devised to allow the 
iiupinging air to cool die processors most efficiently. 

One draw^back of this active airflow solution is I hat it relies 
so heavoly on the miniatnie fan to maintain the firocessor 
temperature in a safe range. Of all component classes ased 
in these systemSi fans have some of the higher failure rates. 
Since so much of the an- volume next to the jnYJcessor board 
is committed to the forced-air l:faftle, faihn e t sf the forced -air 
baffle fan can cause pennanent damage to the processors if 



not detected in time. In fact^ tlie overheating of the proces- 
sors was measured to be so rapid in the event of the baffle 
fan failure that the existing ov^ertemperature protection could 
not be activated quickly enough. Foi' this reason, the fan is 
continuously monitored. If the fan stops spirmmg or rotates 
slow^er than a preset hmit, the system power supplies are 
shut down immediately. In addition to providing maximum 
protection to the processors, this solution also removes the 
need to burden the softw^SLU'e and firmware development 
w i t h status c he c king rou ti nes. 

All of tliese decisions were made in the background, w^hile 
tlte uniprocessor design was being readied for release, hi 
fact, some of the impetus for niakmg tlie simplifications was 
the lack of time. However, it was clear tJiat the desire for the 
system wtis strong enough for the team to continue. Within 
one week of the release of the final revision uf the unipro- 
cessor system, the initial revision of the multiprocessor pro- 
cessor !:)oard was also released. This functional prototype 
proved to be extremely stable, with no hard vv ate failures 
reported during the design phase. 

Verification 

It was at this point thai the electrical verification of the 
design began, and witli it the challenging phtise of the proj- 
ect as well. The design risks of the large, high-speed caches 
imagined eai'ly on turned out to be all too real. The most 
pr oljlemat ic aspect of the caclie design is that tlie read ac- 
cess budget forthe cache access is one aJid one half clock 
cycles (15.6 ns, assumhig 96-MHz operation). Dming that 
time, the address must be diiven to the SRAMs, tlie SKMis 
must access the data, and the data must be diiven back to 
the processor. Ciurent SRj\M technology constimes ahnost 
60% t>f the read budget in internal access tinuf Ttiis liudget 
needs to be maintained over all possible opera! ing condi- 
tions, and a single fault can cause either a reload (in the 
case of iristnictions) or a system p attic and shutdovvTi (m the 
case of data). The unique ]:)roblern with tliis design wiis that 
caclies this large had never before been rmt with the PA 
7100 processon 

The test methodology used was to run tests tailored to stress 
the caches while var>ing the system voltage, temperature^ 



Jimc 19M He wlf ti-PcickanI JotiniaJ 



)Copr. 1949-1998 Hewlett-Packard Co. 




G7fl=4S[Gls 
H7Q = 8 Siflts 
17D ^ 12 Sldl^ 



Fig, 2, Block dlagnini of tlie HP 9000 Model ITO cfimpiiter s>Titpm- 

aiid frequency. Althougli functional testing at normal condi- 
lioiis had yielded no failures, the initial cache design cjujckly 
succumbed to the pressures of tliis ty^ie of electrical verifica- 
tion. Analysis of the failures indicated that the read budget 
was being violated at the comb me d extremes of low voltage, 
high lemperal ure, and higli frequency. Tlie lM-b>te SRMIs 
had higlier capacitive loads ;md were physically larger tJian 
their lower-density counterparts. This greatly increased the 
address drive lime. The team did not have recourse to ftister 
high-density SR.\Ms from any verulor arui cacfies buill out 
of faster lower-density SRAMs woul<J nol imve provided Ihe 
synmietrical multii>rcH:essing perforniaiKe we desiretl 

What followed was an exhaustive analysis by all three con- 
tributors to the design: Lhe PA 7100 design team, the board 
design teatu, and the SRMl vendor design teams. Eacli tetmi 
wnrketl al puliiu^^ fractions of nanoseconds (mt of the read 
acces,s. The boarrl design team experimenled with leiTiiina- 
tion desigrvs and new layouts to improve address drive rime. 
The PA 71U(I learn pushed their chip hister lo increiise the 
reaf I lime budget. They Jiiso identified wliich critical signals 
liaii lo be fiisLer than alJ the rest and simulated the board 
teams changes- The SRAM vendor design teams pushed 
their processes to achieve fiister cc*mponents. All three 
teams pushed tlieir tJesigns !<> the limits, ant I il took con- 
tributions from ail three teams to succeed. In the end, it 
took over six monl.hs of constant design refinement and 
testing to achieve the final result, a design that meets the 
tetun's initial electritra) verification requirements. This turned 
out to be the only si go i fie ant electrical design problem that 
Lhe processor board team had to solve. 

Willie the board design team worked (Hit the electrical 
design issues, a separate team was formed to verify the 
muitiprocessing funetionaJity of tlie PA 7100 processor. This 
formal verification wiLs the last step in the development 
eye It* for the systems. 

System Overview 

A block <liagrani of the Model 170 system appears in Pig. 2. 
Both PA 7100 C'Pl s are configured wtlh I M bytes of instruc- 
tion cache cUid IM bytes of data cach(\ The prrK'esstjrs run 
at a speed of fl6 MMz. Tlie shaied i>tocessor memory l>us is 



operated at a fixed ratio of 3:2 with respect to the proces- 
sors, or G4 MHz, and comiects the processors to the single 
memory^ and VO controhen The memory and I'D controller 
interfaces to a maximum of 768M bytes of error corrected 
memory. The I/O adapter connects a demultiplexed version 
of the shared processor memory bus to a four-slot fModel 
G70). eight-slot (Motiel H70J> or tweh^e^lot (Model 170) 
HP-PB (Hewlen-Packard Precision Bus) I/O bus. 

hi addition to the processor boards the base system conslsbs 
of the IIP-PB backplane, a memory extender, a fan baffle^ 
and a multifunction I/O canL 

Sygtem Specifications 

Tlie foUowing specifications are for the 12-slot Model 170 



Processors 



Cache 



Processor Clock 

System Clock 

Maximmn Memory 

1/0 Bus 

Maximimi Integrated Storage 

Maxunum External Storage 

Maxim lun Li^Ns 

Maximum Users 



2 PA 7100 superscalar pro- 
cessors with integrated 
floating-point unit 
IM-byte instnictiou cache 
per processor. IM-bytedata 
cache per processor 
96 MHz 
64 MHz 
7fi8M l)yies 
1 12-slotHP^PB 
6G bytes 
228G b\tes 
7 
3500 



Summary 

The success of bringmg PA-RISC s^anmetric multiprocessing 
to the IIP 9000 and HP 3000 midrange sei-vers was the result 
of iuiplementing simplified syimnetric multiprocessing func- 
tionality. The PA 7100 team integrated aJJ the lluictionality for 
two-way symmetric multiprocessing into their design. Tlie 
system design team followa^d their leati by cremating a system 
ai oimd the tw^o prof^essors that includes only tlie c*ore hard- 
w^are and fimiw^are fmictionality absolutely necessary for 
operation. 
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SoftBeneh Message Connector: 
Customizing Software Development 
Tool Interactions 



Software developers using the SoftBeneh Framework can customize their 
tool interaction environments to meet their individual needs, in seconds, 
by pointing and clicking. Tool interaction branching and chaining are 
supported. No user training is required. 

by Joseph J. Courant 



SoftBeneh Message Connector is the user tool interaction 
facihty of the SoftBeneh Framework, HPs open integration 
software framework. Message Connector allows users to 
connect any tool that supports SoftBeneh Frame work mes- 
saging to any other tools that support SoftBeneh Framework 
niessaging without ha\ing to imtlerstand the iinderlyhig mes- 
saging S€ heme, t'sers of the rraiuework cmi e^isily cusiomize 
their tool interact ioji eiiviromrieMts to meel their in<li vidua! 
needs, in literally seconds, by simply pointing and clicking. 

People familiar with the term SoftBeneh may know it under 
one or both of its two identities, Tlte tenn SoftBeneh usually 
refers lo a software constniction toolset. ^ The lenu Soft- 
Bench Framework refers to an open integration software 
framework often u.sed to develop t ustoni eiivironrneinsr 
People familiar with SoftBeneh the toolset shoviltl know that, 
underlying the toolset is the SoftBeneh Framework. 

Messaj^e Connector am be used to establish connections 
between any SoftBeneh tools without uTulersiaiKling the 
underlying framework. Ttie editor cim he connected to die 
bulkier which can be connected to tlie mail facility and the 
debugger, and so on. Message Connector does not care what 
tools will be connected, as long as those tools have a Soft- 
Bench Framework message interlace. Tlie message inter- 
face is added by using the SoftBeneh Encapsulator,'^ which 
allows users to attach messages to the fiinctions of most 
tools. Message Comiector uses the message interface 
directly and wilhoul modification. To date, over seventy 
knOA^Ti softw^are tools from a wide variety of companies 
have a SoftBeneh message interface, it is also estimated that 
a nmch larger number of imknoAvn tools have a SoftBeneh 
message ioteriace. I'sers of the SoftBeneh Frmnework can 
now treat tools as components of a personal work environ- 
ment that is tailored specifically by them aiui only takes 
minutes to construct. 

Tools as Components 

What does it mean to treat tools as components? To treat a 
tool as a component means that the tool provides some 
fimctionality that Ls part of a larger task. It is unproductive 
to force tool usei's to interact witJi several indivitlual tools to 
accomplish a single task, but no tool vendor is able to pre- 
dict all of the possible ways in which a tool's functionality 



will be used, Using Message Connector^ several tools can 
be comiected together such ( hat they interact with each 
other automatically This automatic interaction allows the 
user to focus on the task at hand, not on the tools used to 
accomplish the task^ 

A simple but powerful example is detecting spelling eiTors 
in a document, text file, mail, or any other text created by a 
user The task is to create text tree ofstielling e [Tor's. The 
tools mvolved are a text etlitoi' antl a spell cliet:ker In tradi- 
tional tool use, the editor is used i,o create tiie text and then 
the spell checker is used to check the text. In simple notes 
or files the text is often not chet^ked for errors because it 
requires interacting witli another tool, which foi- simple text 
is not worth the effort. Wlien treatijig tools as components 
the user simply edits and saves text and the speD checker 
checks tine text autonTatically, only making its presence 
knovvTi when errors exist. Note ttiat in traditional tool use 
there is one task but two requiretl tool interactions. In the 
component use model, there is one task iuid otie TeqiiLretl 
tool interaction (see Fig, 1). 

I ;smg Message Connector, a user can establish that wiien 
the editor saves a file, the spell checker will then check that 
specific file. This is accomplished as follows: 

1 . Request that Message Comiector create a new routine 
(routine is the ntune given to tmy WHEN/THEN tool interaction). 

2. Select the WHEM: tool to trigger an action (editor), 

3. Select the specific function of the WHEN: tool that will 
trigger the action (file saved), 

4. Select tlie THEN: tool to respond to the action (sped 
checker). 

5. Select the specific function that will respond (check file). 
ii Change tfie WHEN: and THEM: file fields to specify ttiat the 
file saved will he the file c lie eked, 

7, Save the routine (routines ai^e pei"sistent files allowing 
tool interactions to be retained and turned on iuid off as 
desired), 

8, Enable the routine. 

Now any tune the editor saves a file^ that file will automati- 
cally be spell checked. The focus of creating text free of 
spellmg enors is now the editor alone. The spell checkuig is 
driven by editor events, not by the user* 
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-^ ftequireif User Inleracttott 

-^ Automatic Toot Interaetioii Using Message Qoim^ctar 



Fiif. 1. Tradjtjonal tool use (left) comparerJ vaxh tools as task corn- 
in ^nents (light) H Using the SoftBench Message Conner: ror^ Lhe user 
€aii set tip a routine so ttiat whenever a iile is saved by the editor it 
is auloiiiaticail}' apell checked. Hie spell uiietker does not have to b« 
explicitly invoked by the user. 



TooJ Interaction Branching 

Wliile the above example is ver>- simple, it iipplies eqtiaJly 
weU to any number of tool interactions. It jh also possible \o 
create brancMng of inteniction based tipon the success or 
tail tire of a specific tool lo pcii'ontt a specific ftinction (see 
Fig, 2), For example, when the build tool creates a new exe- 
cutable program then display, load, and execute the new 
program within the debnggen when the build tool fails to 
create a new executable then go to the Lute itt tiie editor 
where the failure occurred. 

Interaction Chaining 

It is possible to define Interact iotis hiu^t»d upon a specific hie 
type, riiid it. is ^dso possible to <4uiin the interactions (see 
I^g. 3). As an eximiple. w^hen the editor saves a text file then 
spell check tliat file; when the editor sEives a source code 
fde then perform a complexity analysis ujion that fde; when 
a complexity' tmalysis is i)erfonned oti a file and tfiere are no 
ftmttions that exceeti a gi\'eii complexity thresltold then 
biukl the file; when the complexity is too high, go to the 
fi met ion in the editor that exceeds the given complexity 
tlireshi>ld; when the build tool creates a new^ executable 




— ■ ^ AulOfnaticTopt Interi^clJiiii Using Message CDnnector 

Fig* 2» Mt^ssage Connector supportH luol jrit<:*iartioii braiichiug. A 
diffcn ill tiMil in invoked autnnuitkally flpperiding on Ihe result of a 
I J n^vioi J s operat um. 




► Automattc Tool interaction Using Message CannBctfir 

Fig. 3. Tool interaction etiaining- 

program then display^ load, and execute the new program 
within the debugger, reload the new^ executable intf j the static 
analysis tool, and save a version of the source file; when the 
build tool fails to create a new executable, then gt) to the 
hue in tiie editor where the failure occunett This example 
of interaction chaining allows the user to focus on the task 
of creating defect-free text and source files. The tLser's focus 
IS on tJie editor and all other tools reqthied lo verity error- 
free files are driven automatically by editor events, tiot by 
I he user. The tools have become components of a user task. 

Message C'oiniector Architecture 

Tiie archiLecture of Me^isage Cotinector follows the compo- 
nent moiiei of use encouraged by Message Coimector. As 
shown in Fig. 4, Message Cotii^ector is a set of three sepa- 
rate com p< merits, JCar-h component is responsible for a sepa- 
rate function and works with the other componenis liirough 
tiie Hofi Bench hVaJiiew^ork ntessaging system. The routine 
manager provides the ability to enable, disable, organize, 
and generally manage tlie routmes. Tlii' routine editors 
functiott is routine creation and editing. The rcjutine engine's 
fmiction is to activate and execute rotitines. 

The importance of this architect tire is that it allows Message 
Connecton the tool llial ^dlows other tools tt) be treated as 
components, to be treated as a set of components, Tliis al- 
lows the tiser, for examj)le, to retjuest that tht* r'otit ine engine 
enalile or disable ajujther routine within a rouliae. It allows 
the user to nm a set of routines using the rotitJne etigine 
without a user interface. It allows the user to retjuest that 
tlie routine engine atitomatic^dly enalile any routine saved 
by the rt aitine editor Many other examples of tlie advantages 
of the architecture can i)e given. 

The routine manager simply gives the user a graphical 
method of managing rout hies. UTien analyzing tlie tasks a 
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Fig. 4. SoFtBench Me^sagfr 
Coiirif'c^tcir aid dtef. lure. The 
three major Mess^ige (jOimector 
modules — Uie routijie manager, 
the rcmthie editor, aiid iJie rou- 
line engine — aw treated aji 
i omponents like the totjJs. 



Message Connector u^ser would perform, it was corbel mled 
thai rjie routine manager would be in ilie user's envinimTient. 
most of the time. Il whs also concluded that the routiue 
manager w^ouki ije an icon most of the lime. As a result, the 
design goal lor the roiiline manager w^as to occupy us little 
screen space, memor>', and process s[>ace iis ]3iissil>le. As 
designed and implenienied, a large portion of I !ie [outine 
manager's user interface simply sends a message to the Soft- 
Bench Framework requesting that a service be peifonned. 
As an example, the Enable and Disable command buttoiis simply 
send a message requesting that tiie routine engine enable or 
disable the selected routine. The routine manager was de- 
signed, implemented, and tested tsefort* tlie implementation 
of the routine editor and the routine engine. 

The routine editor proved to l)e very challenging. The Mes- 
sage Connector project goal stated that, "Message Connect or 
w ill provide SoftBenrh Framework value to all levels of end 
users in minutes." \^Tiile a simple statement, the implica- 
tions were very powerful, ""All levels of end users" implied 
that W'hatever the etiitor ditl^ displaying the underlymg raw 
framew^ork woidd never meet the goal. All infonnation 
would have to be highly abstracted, and yet raw information 
must be generated antl could not be lost. "All levels of end 
users" also implied that any user couJci add messaging tools 
to the control of Message Connector, so Message Connector 
could not have a static view of die framework and its cur- 
rent tools. *'In minutes" impUed that there would he no need 
to read a manual on a specific toofs message interface and 
format to access the tool's functionality. It also implietl that 
the routine editor, tool hst. and tool fxuiction lists must be 
iocahzable by the user without disturbing the required raw 
framework infonnatioiL **!n minutes" also impUed that there 
would be no wanting of code to comiect tools. 

The routme editor underwent sist^"^ paper prototype re\Tsions, 
eighteen code revisions, and countless fonnal and informal 
cognitive lesLs with users ranging from administrative assis- 
tantij to tenured code development engineers. It is ironic 
that one result of fcjcusing a major portion of the project 
team's effort on the routine editor tias been that various 
pet jple involved w ith pronioting the product have complained 
that it is too easy to use. Apparently people expect uitegra- 
lion to be difficutt, and w ithout a demonstration, potential 
customers question the integrity of the person describing 
Message Connector When someone is told that there is a 
tool that can connect other disparate tools that have no 



knowledge of eacii other, in millions of possibie ways, in 
secortds, without writing code, it is rather hard to believe. 

The routine enghie turned out to be an objectoriented won- 
der. The routine engine must be very fasl. It stores, tleciphers, 
matches, and substitutes portions of framew^ork messages, it 
receives and responds to a rapid succession of a large nunv 
ber of trigger messages, and il accom modal es hit tire en- 
hancements. The routine engine is the IjEaiii, heaii, and soul 
of Message Connector and is completely invisible. 

Example Revisited 

Walking through the eight steps in the simple etlitor/spell 
checker example above will shoW' the interaction within and 
between each of the Message Connector components, 

L Request timi Message Connector create a new mutiiie- 

This step is accompUshed using the routine manager (see 
Fig. 5). The routine manager's task is to prf>mpt the user for 
a routine name, ensure that the name has the (>roper tile 
extension (mcr), cind then simply send a request to the mes- 
sage server to edit the named routine. The routine manager's 
role is largely coordination. It has no intimate knowledge of 
the routine editor. After sending the request to the message 
ser\'er to edit t he named routine, the routine manager will 
aw^ait a notification from the message serv^er of whether the 
edit was a success or a failure. Tlie routine manager then 
posts the status of the request. 

A separate routine editor Is stalled for each routine edit 
request received by tlie message sender. WTien the routine 
manager sends a request to the message sei'ver to edit a 
rovdine, the message serv^er starts a routine editf>r and the 
routine editor initializes itself and sends a notificat ion of 
success or failure back to the message server. Fig. 6 shows a 
typical routine editor screen, 

^. Selevl the WHEN: loot to trigger o/fj act ion. 

In the case of creating a new routine, there is no rout ine to 
load into the editor and tlierefore the WHEN: and THEM: fields 
are display etl empty The rouline editor searc^hes for and 
displays all possible tools available for Mess^ige Connector 
to manipulate. It is important that Message Connector is 
actually searching for Message Coimector tool catalog files, 
not the tools tiiemselves. For each file foiuuf tlie file name 
is displayed as a tool in the routine editor 
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File Routines Logging 



Praject: hpf ceac:/users/courant 
IK>tJTVC MANAGER 



H^w... I Delete..* 



I ESt.., I Dupikate... 



ffiddioiifmr 



Unhide Routine. , 



Routine List 



Status 



LOCATION: HOME 
MC_Demo-imcr 
btii Id-debug , mc r 
edit— build. HQcr 



LOCATION: SYSTEM 



Enable Routine 



Disable Routine 



Fig. 5. Tyr^icaJ routii>p nuuiager screen. 



The Message Connector tool catalog files contain three ini- 
jjortant pieces of information . The catalog files are ASCn 
files til at contain tlie raw messages required to access the 
finu tJons of tlie tool being cataloged. The catalog files also 
contain the abstractions of the raw messages (these are dis- 
played to the user, not the raw messages) and any message 
help that may he required by a user For most tools, ihe cata- 
log file is prt>\1ded for the user by ihe person who added the 
message interface. If the catalog file does not exist for a 
particular tool, it can be created using that tools message 
interface dot^imientation. The catsdog does not have to l>e 
created by the tool prQ^^der. The catalog files can also be 
edired by the user to change the abstraction tUsplayed or to 
liide some of the seldom used functions. 

W'heu the user selects a tool fiom tlie Message Connector 
routine editor tcjol hst. the routine editor goes out and parses 
I lie tools catalog file for all appiicable message abstractions 
and flisplays those abstractions. 

^i. Select the specific function of the WHEN: foot Ihot uifi 
trigger tlw actiofL 

When a user selects a WHEN: fimction and copies that function 
to the WHEN: statement, the routine editor reads the fmic- 
tion s raw message and the abstraction of the raw message. 
Only the abstraction is displayed to the user, but both the 
raw message and the abstraction are temporarily preserved 
until the user saves the routine* 



FkHitme: /users/courant/^MC/Routines/edit-spell . 

Select the tool and theti an dctnn from tl*Hs it^ts below and pt es^ tlie desired cdpy buttttn. 



P AH Projects 



WHHN: I Editor ! I to-FilB„Saved Succetded: 



on I n*me ; H* 



HOHE-REQUIRED 



with data options 



THEN; Request [Spelf 



[j Ignore Failures 



Usf; ^i^i^HvlK'fd fM^ii^yil 



0*1 I $n^me 



I NONE -RE OU IRE D 



with data optloiH 
Milt TIPtE THEN: Bequest Ust jh^^ fApperrf] ^Jtetetej f^ar| Select execution type: Serial U Par altet 



Tdol's Action List 



Show Bequests 



.Request Spi?ll Set_Dictionary * Hoime_dictionairy_name 

Systefl^ Tools; I Request Spell No_Dictionary 

E^UILD _^ I Request Spell U^e.British-Spelling 

CM ^ft I Request Spell Use.EDgllsh^Spelling 

CXXDET^H I I Request Spell Display 



I Help on Sdected Action.. 



Save Routine 



Copy to "WHEN:' 



Copy to "THEN:' 



Fig. I>, 'IVjmal rimtirH' r^riiLor 
Herpen, 
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4. Sdect the THEN: tool to wspond to the actio7i. 

5. SeLeci the specific functmn that wiU respond. 
These steps are similar to tlie WHEN: steps. 

6. aiange Hie WHEN: and THEN: file fidds. 

Tliis simply allows I lie user IC) change Die values displayed 
on the screen. For lliese vahies, wJial is seen on the screen 
is what will be used when the user selects Save RoLtine. 

Z Save the, rouiim. 

This step takes all of the raw^ messages, the message ab- 
stractions, and the screen values and assembles them into 
an internal routine file format which both the routine editor 
and the routine engine are able to read. The routine editor 
fiien writes out a t>jjiaiy data file uito the routine fMe being 
edited and then quits, 

1*?. Enable the routine. 

This step is driven by the routine nianagefj but is perfonned 
by the routine engine. The user selects tlie rotJtine ol' interest j 
then selects the Enable Routine button on the routine manager. 
Again, the rtjutbie manager's primary role is coordination. 
When l\w user selects the Enable Rautine button, the routine 
tnanager simply finds the routine selecte<l and semLs a re- 
ttuest to lUk^ message scr\^er to enable ilw named routine. 
The routine engine receives the enable request ft-om the 
message server an(i reads the named routine. After rcadmg 
the routine, the rotUhie engine establishes tlie WHEN: mes- 
sage connection to die message serv^en Tins WHEN: comicc- 
tion Ls as general as required. If I he user uses any wildcards 
in the WHEN; statement, the routine engine will establish a 
general WHEN: message comiection and tlien wail until the 
message server for\%^ards a message tliat niatches t he routine 
engines message t^onnection. If the message server fonvanis 
a matching message, the routine engine sends a request for 
each of the THEN: statements to the message sener. 

Development Process 

Message Connector's tiansformation from a cot^cepl to a 
product was a wonderful challenge. The two most in^portant 
elements of this transfonnation weie a cross-fmictional 
team and complel c project traceability. A decision was 
made before tlie first project meeting to assemble a cross- 
functional team immediately. To make Ihe team effective, all 
members were considere<:l equal in till tcimi acti\ity. It was 
made clear that the success oj' failure of the project w^as the 
success or failure of the entire tetun. This turned out to be 
tlie most important decision of the Message Coimector proj- 
ect. Tlie team conKistefi oFjieople from himian factoi-s, 
learning products, product maiket ingn research and develop- 
ment, promotional marketing, and tecluiical customer sup- 
port. Most of the team members only spent a portion of their 
time on the Message Connector project. However, a smaller 
group of fuU-rinie people could never ha\'e substituted for 
Message ronnertor's cross-functional team. The tollective 
knowledge of the team covered ever>^ iispect of product re- 
quirements, design^ development, delivery, training, and 
promotion. During the entire life of the project notliing was 
forgotten and there were no suiprises, with the exception r>f 
a standing ovation following a <le[iionstration at sales train- 
ing. The team worketi so well that it j^uideti and corrected 
itself at evei-y juncture of t !te project. 



One critit^al reason the team worked so weM w^as the second 
most important element of the project— <'t:>mplete projec^t 
ti'aceability. Tliere w'as t\ot a single element of the project 
that could not l>e directly t raced back to the project goal. 
This traceabdity provided excellent conmumication and 
direction for each team member, hi ihe first two intense 
weeks of the project, the learn met twice per day, one hour 
per meeting. Tliese meetings derived the project goal objec- 
tives [subgoals by team definition), and requirements. The 
rule of these meetings was simple: while in this portion of 
the project no new level of detail was attempted m^til the 
current level was fully defined, umler*stt)0(i. and challengefl 
by all members. As each new^ level of detail was definetl, one 
criterion was that it must be directly derived front tiie level 
above — again, complete project traceability. The project 
goal was then posted in every team member's office to pro- 
\ide a constant reminder to make the correct trade-offs 
when working on Message Connector. This aniomit of time 
and traceability seemed excessive to some people outside of 
the team, but it proved to be extremely productive. All of the 
Team members knew^ exactly what they were doing, what 
others w^ere douig, and why tliey w^ere doing it throughout 
the life of the project. 

The project goal was made easy to remember, but was ex- 
tremely challenging: "Message Connector will provide Soft- 
Bench Fnimework value to all levels of end users in minutes." 
At first glance* this seems very simple. Hreakijig the goal 
apart, there are three separate, very challenging ineces to 
the goal: "SoftBench Framework value," ""all levels of end 
users," and "in minutes," As an example of the challenge, let's 
look more closely at tiie "in minutes'' portion of the project 
goal. "In niumtes^ means that tiiere is a requirement that the 
user find value in hterally minutes using a new product that 
uses a rather complex framework and a large number of 
imknown tools that perform an unknown set of fimctionaUty. 
How^ would Message Connector provitle all of this infonna- 
liori without requiring the user to refer to any (iocimTcnta- 
Xkm'I 'In minutes" made a ver>^ diamatic impact on the user 
interface^ user docimientationj and user training (no trainuig 
is required). Tiiese three pieces of the goal also provided the 
groirnds for the project objectives. The projet I object Ives 
then provided tiie basis for" the pioject and product rei|uire' 
ments. At each new level of detail it was reassuring to the 
team that there was no effort expended that did not directly 
trace back to the projet^t goal. The team ownersliip, motiva- 
tion, creativity, and productivity pi'oved to be extremely liigh. 

Conclusion 

L'sing Message t^jnuector, user*s of the Sofi Bench Frame- 
work can easily customize their tool interaction emiiorv 
nient to treat their tools as components of a task, in literally 
seconds, by simply pointing aiuJ clicking. This was all made 
possible by immediately establishing a cross-functional team 
to own the project and requiring complete project trace- 
abititj'. An uitere sting fact is tiiat eaily users of Message Con- 
nector developed two new^ components that are separat e 
from the Message Connector product but iwe now^ shipped 
with it. One component ( named SoflsheO) executes any spe- 
cified l^NI^* command using messagiJig and can return the 
output of the command in a message, Tliis allows a Message 
Connector user to execute UNIX conunands directly as a 
result of an event of any tool. For example, when the user 
requests the editor to edit a fde, il^ tiie file is read-only then 
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ex€?cute the I -NIX command to give the user write access. 
The second component (named XtoBMS) converts X Win- 
dows events into messages that Message Connector can tise 
fo request functionality from any component automatically. 
This means that when any tool maps a window to the 
s<^reen. the user environment can respond with any action 
The user defines. This has been used extensixeiy in process 
management loob so that the appearance of a tof^l on the 
screen causes ihe process tool to change the task a user is 
currently perfomiing. 

Ac kno wledgme nts 

The transformation of Message Connector from concept to 

protiuct wa^ the resiilT of a \'erv' strong ream effort: WTiile 
there were man,v people invoheci with the project at various 
points, the core Menage Connector team consisted of Alan 
Klein representing learning products, Jan Ryles representing 
lumiaji facHjrs, Byron Jeniitgs representing research and 



de\ elopment, Gaty Thalman representing product market- 
ing, Carol Ge^ner and Wayne Cook representmg lecrhnical 
ctistomer support, Dave Willis and Tim Tlllsi>n representing 
project management, and the author representing research 
and development. The cross-funcUonal team approach 
caused roles and res[K)nsibilities to become pleasantly 
blurred. The entire leant is the parent of Message Comiector. 
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Six-Sigma Software Using Cleanroom 
Software Engineering Techniques 

Virtually defect-free software can be generated at high productivity levels 
by applying to software development the same process discipline used in 
integrated circuit nnanufactLiring. 

by Grant E. Head 



In the lale 1980s. Motorola Inc. instituted iti; well-lcnown six- 
sigina prograjiL^ Ttiis program replaced the "Zero Defects" 
slogai) of I fie early '80s and allowerl Motorola to win the tirsl 
Malcolm Baklridgc* awaiTl for quality in 1988. Siiiee tJien^ 
many other eompanics have initiated six-sjgnia programs/^ 

The six-sigma program is based on t!ie principle that long- 
term reliability ret^uires a greater desij^n margin fa more 
robust design) so that ilie prothict ean enckire the stress of 
use without failing, Tlie measure for clelermining the robiLst- 
ness of a design is based on the standard deviation, or sigma, 
found in a standard normal distrihution. This meayiire is 
called a rapahility index (Cp), which is defined i^ ifie ratio 
of the maxirninn aMowable design tolerance limits to I lie 
traditional ±J3-sigtna tolerance limits. Thus, for a six-sigma 
design limit Cp = 2. 

To illustrate six-sigma capability, consider a manufacturing 
process in wiiich a thin film of gold must, lie vapor-deposited 
on a silicon substrate. Suppose that The taiget thickness of 
this film is 250 angstroms and tiiat as htile as 220 angstroms 
or as much as 280 angstroms is satisfactory. If as shown in 
Fig. 1 the ±30-angstrom design Uniits correspond to the six- 
sigma points of the normal distribution, only one chip in a 



billion will he produced with a filin that is either too thin or 
too thick. 

In aoy j) radical process, the position of the mean will vaiy. 
h is generally assumed that this variation is about +L5 sigma 
With this shift in the mean a six-sigma design would produce 
3.4 parts [>er million defective*. This is coi>sidered to be satis- 
factory mitl is becoming accepted ^is a quality standaid. 
Table 1 lists (he defective partnS per miUion (ppni) possible 
for different sigma values. 

A I first (he six-sigma measure was applied only to hardware 
reliability and manufacturing processes. It was subse<tuerRly 
recognized tlial it could also be applied to software (lualily. 
A number ot* soli ware tievelopmcnt methodologies have 
been siiown It) pr'oduce six-sigma quality softw^are. Possibly 
the methodology that is the easiest to implement and is the 
most re peal able is a technique called cleanroom software 
engineering, which wjis de\eh)ped at IBM Corporation's 
Federal Systems Di\1sioti duriiig the early 1980s.'^ We ap- 
plied this metiiodology in a limited way in a typical HP 
environment and achieved remarkable results^ 
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Fig. 1 . All iltustration of a sJx- 
Sigma design speL^ificaiitai. A 
design sper^ifi cation of ±;30 ang- 
stroms corresfjoiuls to a ±6',sigjna 
design. Aisti showTi is lhc^±L5o 
variation from the nierm as a 
result of variariajis in the prnee^. 
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Table I 

Defective ppm for DEfferent Sigma Vaiyes 

Sigma piun 

1 697,700 

2 308,733 

3 66,803 

4 6,210 

5 233 

7 OjlIP 



When applied to sfjftware. the Htanclard unit of measure is 
called use, and six-sigiiia in this coniext means fewer than 
3.4 failures (deviaUons from specificatioiis) per million uses, 
A une is genenilly defined to be something small such as the 
single transaction of eniering rni order or conmiand line. 
This Is admittedly a ralhermurky definition, hut murkiness 
is not considered ro be signiftcani . Six-sigma is a verj* strin- 
gent reliahiiity standard atid is diffic^uh to measure. If it is 
achie\^ed, the user sees virtually no defects at all, and the 
actual definition of a use then becomes academic, 

C'leanroom softw*are engineering has demonstrated the ability 
to prodiice software in which tJie user finds no rlefects. We 
have confimTed these resuks at HE This paper reports our 
results at)d provides a desc^ription of the cleanroom process, 
especially liiose portions of the process that we iised. 

Cleanroom Software Engineering 

Cleanroom software^ engineering^ ( "'cleiinroom'') is a metapboi' 
that comes fn>m integrateti circuit mmuifacturing. Laige- 
Ncali' integrated circuits must be manufacturert in an envi- 
ron ni**nl that is free from tlust, flecks of skin, and amoehas, 
iunong other things* The processes and environment ar<' 
careliilly controlled imd tJie results are constantly monitort^d. 
When fiefet'ts oc<"ur, they arc {'onsideretl to be defects in the 
processes and not in the pro dud. These defects arc charac- 
terised t<* delemiine the proc^ess failure that produced them. 
The processt*s are then corrected and rerun. The product Ls 
jvgtMieratecL Tlie original defective product is not ftxefl, but 
dlsc^;u*ded. 

The cleanrfjom softwan^ engitieering j>hi3o^ophy is atmlogous 
to the integrated circuit rnannfacturing clem\ro<mi process. 
Processes mid enviromnent.s are carefully controlled and iire 
monitored for defect^s, Any defects found iire considered m 
he defects in one or more of the prr^ccsses. FVir exanH)le, 
defects could be in the specification process, the design 
methodology, or the inspection tecluiiques used. Defects ;ire 
not considered to be in the source tile or the code module 
that was getierated. Fliich tlefect is characieriitefl to detennine 
which prrjcesH failerl arttl how^ the failure am be [prevented, 
The fMing process is corret ted mid rerttru Tbt* origiital priMl- 
uct is discarctetl This is wtiy one of the main profxments of 
cleimroorn. Dr, Marian Mills, suggest.s that the most initiort^mt 
lo(4 for clemiroom is the wastebaskei/* 

Life Cycle 

The life cycle of a cleanroom project differs from the tradi- 
tional Ufe cycle. The tradtlionai 40-20-40 post investigation 



life cycle consists of 40% design. 20% code, and 40% unit 
testmg. The product then goes to iniegration testing. 

Cleanroom uses an 80-20 life cycle (80% for design and 20% 
for ciKling)- The unexecuted and untested product is then 
presented lo integration testing and is expet-teii to w^ork. If it 
doesn't work, the defec'ts are exaniincMi lo determine ho\%^ 
the process should t>e impro%'ed. The defective product is 
then discarded and regenerated using the improved process. 

No Unit Testmg 

t nit testing does not exist in cleanroom. Unit testing is pri- 
vate testing perfonned by the programmer with the results 
remaining private to the progranmier 

The lack of unit testing in cleanroom is usually met with 
skepticism or with the notion that something wasn^t stated 
correctly or If was misunderstood. It seems inconceivable 
tliat imit testing should not occur. However it is a reality, 
Cleimroom not only claims that there is no need for unit 
testing, it also states that imit testing is dangerous. Unit test- 
ing tends to uncover superficial defects that are easily found 
during testing, and k injects "deep" defects that are difficuU 
to expose with any other kind of testing, 

A better process is to discover all defects in a public arena 
such as in integration testing, f Preferably, the original pro- 
gramnter should not be involvetl in performing the testing ) 
The sante rigorous, disciplined processes would then be 
applied to the correction of the defects as were applied to 
the original desigi^ anci ctwiing of the jiroduct. 

In practice, defects are almost always encotmtered in integra- 
tion testing. That seems to surprise no one. With c*leanrrK)m^ 
however, these defct^ts are usually minor and can he fixed 
with nothing more than an examination of the .symptoms 
and a quick infornuil check of the ct>de. It is very seldom 
that sophisticated debuggfTs are required. 

When to Discard the Product 

When IBM was asked about the criteria forjudging a module 
worthy of beuig discarded, tiii^v staiefl that the basic criterion 
is that if testing reveals more than five defects per thousand 
lines of code» the ntodule is discardecl. This is a low defect 
density Ity industrv' standards.'^ particularly w^hen it is con- 
sidertHl thai the code in i|U(*slion luis never Iseen exf*cuted 
even by an individual progrannner 0\.w experience is that 
any half-serious attempt to implement cleanroom will easily 
achieve this. We achieved a defect density of one defect per 
fhinisaml iinvs of code the first time we did a fieanroom 
|)roJe(1. h wouhi appear that this "^discfLrd the fiffending 
module'* policy is jnimaiily intended to be a strong attention 
getter to ac^hieve conmiitment to the process. It is seldom 
necessary to invoke it. 

Product hi ty Is Not Degraded 

Productivity is high with cleanroom A tniined cleanroom 
team can achieve a productivity rate approaching HOO non- 
comment sotirce statement's (NCSS) jn^r engineer menu It 
I mlustrjr' average Is 120 NCSS per engineer jiu>nlli. Most HP 
entities quote figures higher than this, hut sekloni do tiiese 
quotes exceed 800 NC'SS. 

Thert^ is also evidetice that the resultuig product is signifi- 
cantly more concise and comi>act than the indtistry average. "^ 
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Tills further enhances pniductivity. Not only Ls t-he jinxJuct 
pnnliK^ed at a high statementijer-nioiitli rate, but the total 
number of statements is also smaller. 

Needed Best Practices 

Cleaurooni is compatible wjtb most irKftistry-acccpted best 
practices for software generation. It is not necessaiy to un- 
learn anything. Some of these best practices are required 
(such as a structured design methodolo^v). Others snch as 
software reuse aie optiojiai bin cumpatiblc. 

As mentioned above^ cleanroom requires some sort, of struc- 
tured design methodology'. Il luis been successful ty employed 
using a number of chfferenr design approaches. Most recently 
however, the cleanroom originators are recommending a 
fomi of object-oriented design.'^ 

All cleanroom deliverables must be snbject to inspections, 
code walktti roughs, or some otbei' fomi of rigorous peer 
re\iew. It is not critical what form is ap[)lie<i What is critical 
is tliat 100% of all dehverables be subjected to this peer- 
review process and that it be done in small quantities. For 
instance, it. is reconmiended that no nifire I ban tliree to five 
pages of a code module l)e inspected at a single inspection. 

Required New Features 

In addition to the standard software engineering practices 
mentioned above, tiiere are a number of cleanroom-specific 
processes that are required or are reconmicnded. Ttiese 
practices include structured specifications, fimctional verifi' 
cat.tonj St nictured data, and statistirai testing; Stnictmed 
spec iflcati tins are applied to the project lie fore design beghis. 
This strongly affects the delivery schefluie aiul the project 
management process. Fimctional verification is applied diu'- 
ing design, codin||j and inspection processes. Structured 
data is applied during the design process. Finally, statistical 
testing is the integration testing methodology of choice. 
Fig- 2 smnmarizes the cleanroom processes. 

Striietiired Specifications 

Structured specifications''^ is a term applieti to tlie process 
used to fh\ide a product speciFication into small i>ieces for 
itnplemcntation. It is not crit ical exactly how this division 
is accomplished as long as \he results have the follo\^ing 
characteristics: 

Each specification segment must be small enough so that it 
can be Inliy implemented by the development team witliin 
days or weeks rather than months or years. 



• The resuh of implementing each segment must be a module 
that can be completely executed and tested on its own. Tliis 
means that no segment can contain partially implemented 
features that nnist be avoided during testing to prevent 
program failure. 

• The segments may noi have mutual dependeru^ies. For ex- 
ample, it is satistactory for segment 4 to require the imple- 
mentation of segment 3 to execute correctly. It is assumed 
that segment 3 will be implemented first and will exist to 
support I he testing of segment 4. However, it Ls not satisfac- 
tory for segment 3 to require segment 4 to execute properly 
at the same time. 

The structured specifications process is used by cleanroom 
to facilitate control of the process by allowing the develop- 
ment team to focus on small, etisily conceptualised pieces. A 
secondary but very imiJortant effect is tJiat productivity is 
increased. Increased prt>ducU\ity is a natural effect of the 
teams beii^g focused. Each deliverable is small and tiie time 
to produce it is psychologiciilly short. The deliven^^ date is 
therefore always umninent iuid always seems to be within 
reach. Morale is generally high because reaJ progress is 
\isible and is achievable. 

Structured specifications also offer a very' definite project 
management advantage. They serve to acliieve the frcH|uently 
quoted maxim that when a project is 5(yM) complete. biM of 
Its features should be lOtMi complete instead of 10(y}f^ of its 
features being 50% complete. Pioper managenient visibility 
and die alnlity to control delivery schedules depend upon 
this maxinV's being true. 

Structured specifications are very similar to incremental 
processes described in other methodoUjgies but often the 
purposes and benefits sound quite different . For instance, in 
one case the stnictured specifications prcjcess is chilled evo- 
lyliaiftuy delnmyj}^ The primary benefit claimed for evolu- 
tionary' delivery' is that it idlows "real" customers to examine 
early releases and provide feetlback so that the product will 
evolve into something that really satisfies customer needs. 
ilP supports this approach and has classes to teach the 
evolutionary tielivery process to software developers. 

From the dest-ription just given it would appear that each 
evolutionary release is placed into the hands of real custom- 
ers. This implies to nuuiy people that the entire release pro- 
cess is repeated on a frequent (moot My) b^isis. Since multiple 
releases and the suppojl of multiple versions are considered 
headaches for product support, this scenario is frowned 
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upon. Cleaitrm>m does not niake it a priority to place each 
stage of ihe prcKluct into the hands of real customers. 

Looldng at the definition of a real customer in the evolution- 
ary delivery process, you realize that a real customer could 
be the engineer ai the next desk. In practice, the product 
cannot lie dt^lrs'ered to more than a fiandfui of alpha or beta 
tester?* until the prrjduct is released to the full market. This 
type of releiiye should not oc:cur any more often titan nor- 
mal* In fact, since cleanioom produces high-quality prod- 
ucts, the number of releases required for product repair is 
signifirantly reduced. 

Another type of strucrm^d specifications teclinique, wiiich 
is applied to information technology development, uses 
infomiation engineering time boxesJ" Tinie boxes are used 
as a means of preventing endless feature creep while ensur- 
ing that the jirodnct (in this vase an infonnation product) 
srill has fleKibility and adaptability to t:hanging business 
requirements. 

IIP has adopted a technique calieti sfwrf intetTni srfwrhd- 
ing^^ as a project management approatlt Siiort jntert^al 
schetitiling breaks the entire project into 4-to-6-week chunks, 
each Hith its own set of deliverables. Short internal schedul- 
ing ctm be appiietl to (Jlher projects feswles tJiose tnvohed in 
software develoi>ment. This is an insight that is not obvious 
in other technk]ues. 

All of these methods are very .similar to the stniciured speri- 
fications technique. As different as they sound, they all sewe 
to break the task into bite-siKeti piecew. which is Uie goal of 
the stiiictured spec 10 eat ions portion of cleanroom. 

Funcdonal Verification 

FuticfionaJ verification is the heart of cleanroom and is pri- 
marily responsible for achie\ing Ibcfhainatic imjirovement 
in quiility tjossible with cleanroom. It is b^ist^l on the tenet 
that, given the f)roper circumstances, the human intellect can 
determine whether or not a piece of logic is correct, and if it 
is not correct, devise a modification 1o fix it,''' Fimctioiid veri- 
fication has thr(>e levels: intellectual control, legal primitive 
eviiluation. m\i\ aiialytical proof. 

bitellectual control requires tliat the progression from speci- 
fications to code be done in steps that are small enough and 
documented well enough so that tlie correctness of eacb step 

' This tewi IS also Tt>e defmition of intellectual conlral 



is obvious. The working term here Ls "obvious." The reviewer 
should be tempted to say, "t)f course this refinement level 
follows correctly from its predecessor! Why belabor the 
point?* If the reviewer is not tempted to say this, it may be 
advisable to redesign the refinement level or to document it 
more completely. 

Legal primitive evaluation enhances intellectual control by 
providing a nmthemalicaily deriv^ed set of questions for 
proving and testing the assumptions made in Hie desigtt 
specifications. Analytical proof^^ enhances legal primitive 
evaluation by answering the question sets matbemaiicaUy. 
Analytical proof is a very rigorous and tedioas correctness 
proof and is very rarely used. 

We have demonstrated here at HP that intellect uaj control 
alone is capable of producing code with sigiTificimtly im- 
proved defect densities compared to software developed viith 
other trad iUonal development procesvses. Application of the 
conij>leie cleanroom process will provide another twx> to 
three orders of magnitude improvement in defect densities 
and will produce six-sigma code. 

Intellectual Control The human intellect, fallible though it 
may be, is able to iissess correctness w^hen presented with 
reasonable data in a reasonable formal. Testing is far iufe- 
rior to fhc power (\f the huwaff tntefleef. This is the key 
point. All six-sigma software processes revolve arotmd this 
point. It Ls a ni>ih that software must contain defects. This 
myth is a self-ful ill ling prophecy and prevents defect -free 
software from being routinely presented it> the marketplace. 
The prevalence of the defect m>th is the res nil of ajiother 
nijrth, which is that the computer is superif>r to the hvmian 
and tliat computer tesling is fhe best way to ensure reliable 
soflivare. 

We are told that the himian intellect can only nndpi^vland 
cuniplexilies when they are linked together in cinsc, snnple 
relati(jn.sbips This limitation can be macie lo work for ti.s. Ef 
il is ignored, it works against us and hatidica|>s otjr creative 
ability. Making this limitation work for us is the basis of 
fiuictionaJ verification. 

The basis for intellectual conlrol antl fimcrional verification 
is a stnictured development liierarchy Most of us are famil- 
iar with a represeniation of a liierarchy like the one ntodelcfl 
in Fig. 3. This could be an illustratiini of how to progress 
from design S|jec ifications lo actual code usit\g miy one of 
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the cunrenily popular, mdustry-acceptt^ti best practit^es for 
design. Eac*h ai' Ihpse pracl k'C's lias some form of stepwise 
refmcmtmt. Each Ijreaks down Ihe sperifi rations into ever 
greater detail. The result is a program containing a set of 
commajids in some programming language. 

Hie dtEference between Llie different software design nieth- 
ods is reflected in the interpretation of what the squares and 
the coruieeting lines in Fig, 3 represent. If the dev^eloper is 
using strut tured design techniques, they would mean data 
and eontrol rormeci ions, ;md if Ihc developer Is using ohjerl- 
oriented design, they would represent objects in m^ objert- 
oriented hierarchy. 

Functional verification dot^s not care what these symbols 
represent. In any of these methods, the squares 1, 2, :3. and 4 
are sujjpcjsed to describe fully Ihe functionality of the speci- 
fications at that level. Similarly, I.l througli 4.3 fully de- 
scribe the fimctionalily of square 4, mid the ccjfie of s^jnare 3 
fully implements the functionahty of square 3. Inlellecinal 
control can be achieved with ajiy of theJTi l>y adhering to tlie 
following five principles. 

Principle 1. Documentation nmst be complete. Ttie tirst key 
principle is that the dorunientation of the refmement levels 
must be complete. It must fully reflect the requirements of 
the abstraction level inmiediately above it. For instance, it 
must be possible to locate within Ihe documentation of 
squares 1 through 4 in our example eveiy feature described 
m the specifications. 

If documentadon is complete, intellectual contiol is nearly 
automatic. In the case described above, the designer intu- 
itively works to make the doriiinentation and the specilica- 
tions consistent with each other. The inspectors intuitively 
study to confirm the correctness. 

Note that it is not always necessary^ to reproduce tlie spet^ifi- 
cations word for word. It will often be possible to simply 
state, "This module fidly implements the provisions of sperifi- 
cation section 7-lb." The inspectors ru^ed only confinn that it 
makes sense for section 7^b to t>e treated In a single module. 

Other times it may be necessary to define considerably more 
than what is in the specificalions. A featiu'c that is spread 
over several n iodides requires a specific description of 
which poriloii is treated in each module ;ind exactly how the 
modules interaci with each other It iimsl bv possible for tlie 
inspectors to look at all the modules as a whole and deter- 
mine that the feature is properly implemented in the fiill 
niodide orchestration. 

This principle is conunonly \ioIated. Al] influstrv -accepted 
best desigit processes encourage full flocumentation, IjuI it 
is still not done because these design processes often lack 
the perspective and the respect for intellechial control that 
is provided by the principles of fimctional verification, or 
they are msufficiently compelling to convey this respect. The 
concept of intellectuaJ cont rcjl is often lost by many design 
processes because the main empltasis is on the mechanics 
of the specific methodology. 

The result Is that frequently the documentation for the first 
level of the systeni specilications is nothing more than the 
naiues of the nuxhdes (e.g., L Data Base Access Module, 
2. In-Line Update Module, 3. Initialization Module, 4. 1'ser 
Interface Modtile). It is left to the inspectors to guess, based 



on tJie names, what poriions of the specifications were 
intended to t>e in which module. 

Elven when there is an attempt to conform fully to the meth- 
fxlokigy antl provide full dot n men tat ion, neither the designer 
nor the inspectors seetr\ to worry about the c:ontinuity that is 
requiretl by functional verification. For exainpie, a feature 
requir*ed in the design specification might show up first in 
level 4. 1.2 or in the code associated witli level 4. L2 witjK>ut 
ever having been referenced in levels 4 or 4.1. Sometimes 
the chosen design methodology does not sufficiently iivf ti- 
trate that this is dangerous. Once agtun, tlus is the result of a 
failiu-e to appreciate and respect the concept of intellectual 
control 

If proper documentation practices are followed, the result of 
each inspection is confidence that each level ftilly satisfies 
the requirements. P'or example, squares 1 through 4 in Fig. 3 
fully implement the tc)p4evel specifications. Nothing is left 
t)ut, defeiTed, undefined, or added, and no requirement's are 
violated. Similarly, 4, 1 through i.;l fully satisfy the provisions 
of 4, and 4. LI md 4.1.2 ^dly satisfy 4.1. 

With these conditions met, inspections of 4.1 thi'ough 4.3 
shtmkl only require reference Ui the defiriition for square 4 
to confimt that 4.1 through 4.3 satisfy 4. If 4,2 attempts to 
implement a feature of the specifications that is not explic- 
itly or imphcitly referenced in 4, it Ls a defect and should he 
k)gged as such in Ihe inspection meeting. 

Principle 2. A given definition and all of its next-level 
refinements must be coveretJ in a single inspection session. 

This mearts that a single inspecrion session must cover 
square 4 and kill nf its next-level refinemen(s> 4 J through AM. 
Altogetiier, 4.1 through 4,3sh<mld not be more than dhoni 
five pages of malerial. More than five pages wouhl iutlicate 
that too much refinemeTit was attempted at one time and 
intellectual control probably cannot be maintained. The r^jf- 
fending level should be redone wifli some of tlie intended 
refineinent deferred to a lower levet 

Principle 3. The full hl>^ cycle of any data item nmst be totally 
defined ai a single refinement level and must be covereti in a 
single inspection. 

Tins is the key principle that tillows us to l>e al>le lf> inspect 
2.1.1 and 2.1.2 anil only be concerned alxmt their reaction 
with each other mid the way they implement 2. 1, There is no 
need to determitie, for example, if they interact correctly 
with 1.1 or 4.3. 

Tlus principle is a breakthrough concept and obliterates one 
of the most tioublesome aspects of large-system modiftca- 
tion. One seems never to be totally secure makmg a code 
modification. There's always the concern that something 
may be getting broken somewhere else. Tlus fear is an mtu- 
itive acknowledgment that mtellectual control is not being 
luiiintained. 

Such ""rernotc breaking" cat) only occtir because of mconsis- 
tent clata management. Even troutvlesome prol>lems associ- 
ated with iriappropriate tmeniiptability or t>ogus rectirsion 
are caused by inconsistent data management. Intellectual 
control reciuires extreme respect for data management 
visibility* 
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This visibility c^n be maintained by ensuring that each data 
item Ls MJy defined on a single absiraclion level and totally 
studied in a single inspection session. It should be dear 

* Where and why the clala item tomes into existence 

• WTiat each data item is initialized to and why 

* How and where each data item is used and what effects 
occur as a result of its use 

•» How and where each data item is updated and to what VBlue 

• Where^ why, and how each data item is deleted. 

Note thai careftil adherence to this i^rinciple contributes 
significantly to creating an object-oriented result even if that 
is not the inient of the designer. This principle is also one of 
the reasons why cleanroom lends itself so well to object- 
oriented design methodologies. 

Once the inspection team is fully satisfied that the data 
management is consistent and correct, tliere is no need to 
be concerned about interactioas. For instance, the life cycle 
for data that is global to the entire module would be fiiUy 
described and inspected when squares 1, 2, 3, and 4 w^ere 
insj^ected. Square 2 then totally deiines its own portion of 
this n^anagement and 2.1, 2.2, 2.1.1, and 2.1.2 need only be 
con censed that they are properly implementing square 2's 
part of this definition. Squares 1, 3, and 4 can take care of 
their own portion with no worry about the effects on 2, 

Adherence to principle 3 means that it is not necessary to 
inspect any logic other tJian tliat whitii is presented in the 
inspection [jacket. There is no intellectually imcon trolled 
requirement to execute the entire program mentally to 
determine whether or not it works. 

Principle 4. l-pdates must conform to the same mechanisms. 

Since even the best possible design pro(*esses are fallible, it 
is likely that unanticipated requirements will later be dtst^ov- 
ered. Fmictional verification does wot preach itle (his. For 
instance, it may be tliscovercd Llutt il is ru^'cssary to test a 
global flag in the code for 2. 1.1 which in turn must be set in 
the code for 4.2. This is a common occurrence and the tyi>i- 
cal response is simply to create the global flag for 2,1,1 and 
then update 4.2 I o set it properly. Bug foimd Bug fixed, 
Everytliing wt:>rks fine, 

[ lowevei; we have Just destroyed the ability to make subse- 
querU modifications to this mechanism in an inteilecrually 
controlled way. Future intellectual control requires that this 
ncw^ irUerfiic^e be retrtifitled into the higher abstraction 
levels. The life cycle of tlus flag musr be fully flescnlied at 
thesquai'c 1 tjirougli 4 level, hi that one document, rhe 
squaie 2 lest and tf\e square 4 update must he described, 
and then the appropriate portions of this definition must be 
repeated and refined in 2.1, 2.1.1, and 4.2, and of course, all 
of this sfiuuld he .subject to a full inspection. 

Principle 5. Litellectnal control nuist be accompanied by 
bottom-up thinking. 

These principles caji lull peot>le into lielieving t hat tht>y have 
iiiiellectual control when^ in fact, intellectual ciintrol is noi 
possible. Intellectual ^^ontxol is, by its nattue, a top^lown 
process and is endangered by a futfall IlicU lb real ens all top- 
down design processes: the tendency lr> pusiptmc rc^al tleci- 
sions indefinitely- To avoid tills pitfall, the ilesij^ners must be 
alert to potential "mul4hen-a-rniracle4iappens" situations. 
Anytliing tl uit looks suspiciottsly tricky should be prototypetl 



as soon as pt^sible. All the top-down design discipline in the 
world will not save a project thai depends upon a feature 
thai is beyond the current stale of the art. Such a feature 
may not be recognized until very late in tlie development 
cycle if top-dowTi design is aUow^ed to blind the de\'elopers 
to its existence. 

The Key Worii Is ''OiiYioys,*^ It must be remembered thai these 
five principles are followed for the single purjjose of making 
it ob\ioiis to the moderately thorough obserx'cr that the 
design is correct. I^ctlcahty must be sufficiently demon- 
strated, documentation must be sxifficienUy complete, Ute 
design must be tackled in sufficiently small chunks, and data 
management must be sufficiently clarified. A\} of these must 
be so ob\iously sufiicient that tiie reviewer is tempted to 
say, "Of course! It s only ob\ious! Why belabor it?" If this is 
not the case, a redesign is indicated. 

Our experience suggests that the achievement of such a 
state of ob%1ousness is not a particularly challenging task. It 
requires care, but, if these principles are well miderstood, 
this (*are is almost automatic. 

Legal Primitive Evaltxation 

Legal primitive evaluation enhaitces intellectual control by 
pro\iding a mathenuiticaHy derivefl set of questions for each 
legal Dykstra primitive (e.g^ If-Then-Else, While-Do, etc.). For 
each primitive, the de-Signers aiKi the reviewers ask the set 
of questions that apply to that primitive and confirm diat 
e^cli question c an be atiswereci affirmatively. If this is the 
case, the correctJiess of the primitive Ls ensured. 

A rigorous derivation of these questions can lie found else- 
w^here.^'^ There Ls insufficient space here to go tlirough tliesc 
derivations in detu.il , but we can Illustrate tJie process and 
its matliematical basis by using a sliort., nonrigoroiis analysis 
of one of these sets, the White-Oo prijnitive. Questions associ- 
atiHl with the other primitives are given on page 47. 

The Whife-Do c*onstnict is defme<l as folkjws: 

S = IWhife A Do B;l 
which means: 

S is fully achieved by IWhile A Do B;], 

The symbol S denotes the specification that Liu* primitive Is 
attempting to satisfyj f)r the fimction it is artemf>ting to per- 
form. The symbol A is the while test, and B is the while body. 

As an example, S could he the specification: "The entiy is 
added t.t> tlie table." Tlu- predicate representc<l Ijy A would 
then he an at>propriate }:>rocess to enable the prt.vgram to 
perform an iteration and to determine if the operation is 
complete. B would be the processing required to accomplish 
the addition to the table. We have chosen to use a While-Do 
becausCj jiresumably, we think it nmkes sense. We may be 
uitending to accomplish the entry addition by scamiing tlie 
table sequentially until an appropriate inserrion point is 
fourid m\d tht*ri splicing the crmy into the table at that point 
Wli ether or not this makers sense tlepcnds u|>on the knowTi 
(rhaiac I eristics of the entry and llie table. It also may depend 
upon the explicit (or implicit) existence of a further part of 
the specLfication such as "...within 5 ms." 

To investij^ate wbethc^r it has been cT^ded correctly, the 
following three questions idrv asked: 
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1 . Is loop it^miination ^laraiiteed for any argimie^nt of S? 

2. Wlien A is truo, does S equd B followed by S? 

3. When A is false, does S equal S? 

When the answer to these three qnestiniis is yes, the cor- 
rectiiess of the While- Da is guararUeed. The people asking 
these questions should he the designt^r ;aiid the inspectors. 

Thejje questions require some explanation. 

L Is loop termination guaranteed for any argument of S? 

This means that for any data presented to the fimction de- 
fined by S, will I he While- Do always lemiinale? For instance, 
in our example, are Ijiere any possilrle instances of the entry 
or the table for which the While-Do will go into an endless 
loop because A can never acquire a value of FALSE? 

Tills would appear l.o be an ob\aoiis question. So obvious, 
that the reader may be tempted to ask why it is even men- 
iJoned. However, there is a lack of respect for Whife-Do 
termination conditions and many def ect.s occur because of 
failure to tenninate for certain inputs. A proper respetrt for 
this question will cause a programmer to take care when 
using it and vvill significantly help to avoid nontenuinalion 
failures. 

Respect for this quest j on is justified because it is difficult to 
prove Whfle-Do termination. In fact^ it can be mathematicaLly 
proven that, for the general case, it is it!i possible to prove 
termination.^ ^ To guEuantee the conectness of a While-Do, it 
is therefore necessarv^ to design simple termination condi- 
tions thai can be easily verified by inspection. Complicated 
While-Do tests must be avoided. 

2. When A is tnie. does S equal B followed by S? 

This means that, when A is true, can S be achieved by 
executing B Jind then presenting the results to S again? This 
question is not quite so obvious. 

Iterative statements are very difficult to prove. To prove the 
correctness of the while statement, it is desirable to change it 
to a n on Iterative fonn. We chimge it hy invoking S recimsiveiy. 
Thus, the expression: 



S^lWhileADoB;] 
becomes: 

S = [ffAThen(B:SU 



(I) 



(2) 



Expression 2 is no longer an Iterative construct and can be 
more readily proven. Fig, 4 shows the diagrams for these 
two ex^iressions. 

The equivalence of these two statements can be rigorously 
demonstrated,^'^ A nonrigorous feeling for it can be obtained 
hy obsening tliai when A is true in IWhtle A Do 81, tlie B ex- 
pression is executed once and then you slari at the begin- 
ning by making the I While Al test again. If IWhile A Do B| is truly 
equal to S, then one could imagine that^ rather than starting 
again at the begimiing with the {While A] rest, you simply start 
at the begimiing of S. That changes tlie While-Do to a simple 
If -Then, and the predicate A is tested only once. If it is true, 
you execute B one time and then execute S to fmish the 
processing. 

The typical first reaction to this concept is that we haven *t 
helped at all. The S expression is still iterative and now 




lfAThefl(B:S] 




Fig. 4. Diagrams of the priiTiilives While A Da B and If A Then [B; S}. 

weVe made it recursive making it seem that we have more 
to prove, Tlie response to this complaint is that we don*t 
have to prove anything about S at alf The specification (the 
entry is added to the table) is neither iterative nor recursive. 
We bave simply chosen to inipletuent il using a White-Oo con- 
struct. We could, presinnably, liave implemented it some 
other way. 

S is notiiing more than the specification. In the general case, 
it may l>e a compleiely arbitrary slatenient from aiiy source. 
Wliether the specification is correct or not is not (jur respon- 
sibility. Our responsibility is to implenieut it as defined. 

Question 2 can therefore be restated as follows: If A is true, 
when we execute 8 one time and then turn the result over lo 
wdiatever weVe defined S to be, does the result still achie%^e 
S? An affirmative answ^er satisfies question 2. 

In terms of our example, B will have examined part of the 
table. It \^^ll either akeady have inserted the new enLr\^ into 
the table or it wiU have decided that the poition of the table 
it examined is not a candidate for inserting of the entiy^. The 
unexammed portion of the table is now the new" table upon 
w^hich the construct must execute. This new^ instance of the 
table must be comparable to a stiuidalone instmice of the 
table so that the concept of adthng an entry to the table still 
makes sense. If the resulting table fraginent no longer looks 
like any fonn of the table for which the specification S was 
general eds ciuestion 2 may not be answerable affirmatively 
and the proposed code would then be incorrect. 



46 Junp 199-1 HcwIptt-t^aclcarcJ Journal 



)Copr. 1949-1998 Hewlett-Packard Co. 



3, When A is false, does S €»qiial S? 

This qu^tion seems fairiy ob\1ous but it is frequently over- 
looked. If A is found to be false the fifst time the Whife-Do is 
executed and therefore no processing of B occurs, is this 
satisfacton,^? Does the specification S allow for nothing to 
happen and therefore for no change to occur as a result of 
its execution? 

In our example, the test posed by this question would likely 
faiL S requires something to happen (i.e., an entry to he 
added to the table}. This would suggest that the While- Do may 
not be the appropriate construct for this S. We may never 
have noticed this fact if we hadn*l been forced to examine 
question 3 careftilJy. 

Stmctared Data 

The principle of structured data^'^ recognizes that undisci- 
piined accesses to randomly accessed arraj^s or accesses that 
use generalized pointers cause the same kind of "* reasoning 
exiDlosion"* produced by the undisciplined use of GOTOs. For 
instance, take the instruction: 

A[iHBlj+k]; 

This statement looks innocent enough. It w^ould appear to be 
appropriate in any well-structured program, Note^ however, 
that it involves Jive variables, all of which niusi be accounted 
for in any correctness analysis. If Uie program in which this 
slateiuenl occurs Is such that this statement is executed 
several imxen, some of Uiese variables may be set in ijistruc- 
tions that occur later in the progi^am. Thus^ this instrucrion 
all by itself creates a reasoning ex|ilosion. 

Just as Dykstra suggested that GOTOs should jiot be used at 
all,^" the originators of cleaiiroom suggest that raiuioitiiy 
accessed arrays and pointers should not l>e [ise<i Dykstra 
reconuuendcd a set of primitives to use iu jjlace of GOTOs. 

In the same way, cleanroom recommends that randomly 
accessed arrays be replaced with stnjctures such as queues, 
stacks, and sets. These* structures are safer because their 
access methods are more constrained and disciplined. Many 
ciurent object-oriented class libraries support these struc- 
tures directly aiid take nmch of tlie mystery and the complex- 
ity out of mentally converting from random-array thinking- 

Statistical Testing 

StaUstical testltig''^ is not really retjtnred for cleanroom, hul it 
Ls highly reconuiiended because it allows an assessment ol 
quahty in sigrua units. li does not. measure quality in defects 
per lines of code. Measuring (Quality in sigma luuLs gives user^s 
visibility of how ofter\ a ttefect is exj^ected to be encoimtered. 
For insLtmce, il makes no difference if there are 100 defects 
per thousand lines of t f jde if the user never actually enc imn- 
ters any of tliejUH The prodtict would be perceived as very 
reliabU^ On tlieoihfr hcmdn ihf pruduct may have t>iily (}\w 
defect in 100,000 liru^s nf ctnle, i>ut if the userenc^jiniters 
this deted every other day, tlie product is perceived to be 
very unreliable. 

Statistical testing also clearly shows when tt^stiiig is ctjuiplt'^te 
and when the product cm\ safety be relets t^d. If t lit* model is 
predicting that the iLser will encounter a ck'fcf t no r!K)re 
often than iynce evviy TiOOOyeiU's witli an unc(*nainiy of 
±1000 years^ it could be decided that it is safe to release the 



Legal Primitive Evaluation 

As desaibed m the accampanvjns article, ttie pfocess of doing legal pfimitive 
evaludtton tnvDlves asiing a set of mathematically deriv^ quesiiotis about the of 
t^iiz programming pnmttives (e g^ lf-Then-£lse. For^Do. etc \ used in a pr{^r3m 
The fallowifiQ \$ a tist of tt^ Qi^slions tiat must be in/estigmed for each primitive 

In tfi€ tDl Lowing list S mfers to the specircation that must be sabsfie^ by tfie 
questions aslced about the referenced primitive 

* Sequence S = lA; B;l 
Does S equal A followed by 8? 

• Rjf-Da S = |FofADoB;I 

Does S equal first 8 followed by secood B . .. iGllowed by fast 8^ 

ilf-Then S = tlf AThen &;! 

[f A is tf ue, doES S = B? 
if A IS false, does S = S? 

» If ThEn-Bse S = Ilf A Then 9 Else C;] 

If A IS true, does S equal B? 
if A IS false, does S equal Q? 

► Case S^lCasePpartjCllSl 

■ When p is Cl, does S equal Bl' 



part [Cnl Bn Else E;] 



Wnen p is Cn, does S equal Sn? 

When p is not a memtJer of set (Ci CrtK does S equai E? 

• While-Oo S = [While A Da S;l 

Is loop teimifiation guaranteed far any argumfint of S? 
When A IS true, does S equal B foNowed by S? 
When A is false, does S equal S? 

► Do-Unril S-[DoAUmilB;l 

Is bap termination guaranteed for ariy argument of S' 
When B is false, does S equal A followed by S'^ 
When B IS true, does S equal fiJ 

► Oo-While-Do S = |DOt A WIiHe B Odj C:] 

Is loop terminatrari guaranteed fur auy argument of S? 
When B is true, does S equal A followed by C followed by S? 
When B i% false, does S equal A? 



product. Tliis is usually better tliaii sonie iiidiistry-staiKlard 
nic^tiiods (e.g., when tJie at:t.r]tion rate from boredom among 
the test team exceeds a certain thresh old, it must he time to 
releaset or ''When is this pmdiict: supposed to be released? 
May 17th. What s today *s date? May 17th. Oh. Then we must 
be finished lestir^g."). 

Stadstieal testing specifies the way test scenarios are devel- 
oped and executed. Testing is done using scenaiios that con- 
fonu to the expected user profile. A user profile is j^ene rated 
by identifyuig all slates tlie system can be in (e.g., all streens 
thai could be disii)layed by the system) ^md, on each one, 
identifying all the different actions tlie user could lake and 
the reialiw ijercentage of Instant es m which each would be 
Uikeri. As the seen alio generator progresses throttgh tliese 
stales, actions aie selected rajidomly willi a weigbling that 
corresponds to the predicted user profile. 

For instance, if a given Jscreen Ixas a menu item Ihat is antici- 
pated to be invoked 75% of the time when the usf^r is in that 
siTcen, tlie invocation of this menu item is stipulated in 75% 
of the generated scenarios involving the screen. If aitother 
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menu item will only be invokefl 1% of the time, it would be 
called in only 1% of the scenarios. 

These scenarios are tiien exectilcd and the error histoi'y is 
evaluated according to a niatheinaticaJ itiotlel designed to 
predict how many more defects the nsjer would encounter in 
a given period of time or in a given number of ayes. There 
are several different models described in tiie literature. ^^ 

In general, statistical testing takes less time tJian traditional 
testing. As soon as the model predicts a quality level corre- 
sponding to a predefmed goal (e.g., six sigma) with a suffi- 
ciently small range of uncertainty (also prcdefinetl). thc^ 
produti vm\ be safely releasefi 11 lis is the case even when 
100% testing coverage is not. done, or when 100% of the 
patiiw^ays are not execute<l. 

Statistical testing requires tliat the softw^iiie to wbich it is 
applied be minimally reliable. If an attempt is made to apply 
it to softw^are tliat has an industiy-tyi^ical defeci clensityn iuiy 
of the statistical models wiU demonstrate instaliilities and 
usuaUy blow up. When they don't blow up, their predictions 
arc so imfavorable that a decision is usnaliy made to ignore 
them. This is an analytical reflection of tlie fad that you 
can*t test quality into a program. 

Quality Cannot Be Tested into a Product 

Although it is the tiualiiy sf rategy chosen for many products, 
it Ls not possible ro tesi (iLiciIily into a product. DfMmco^^ 
has an excellent analysis thai demonstrates the validity of 
tills premise. Tliis analysis is based on the apptirent fact that 
only about half of all defects can he ehminated by testings 
but that this factor of two is sw^amped by the variability of 
tJie software packages on the market. The difference in de- 
fect density between the best and w^orst products is a factor 
of almost 4000,/^' Of coiuse. these are the extremes. The 
factor difference between tile 25th percentile and tlie 75tb 
I}erc:ei\tile is about W according to UeMarco. No one suggests 
that testing should not be done — it eliminates extremely 
noxious defects which are easy to test for — but compared to 
the variabibty of softw^are packages, the factor of two is 
almost irrelevant. WhBl then are tiie factors that produce 
quabty software? 

Capers Jones^" suggests that inspections alone cim produce 
a 6Wo elimination of defects, atul wiien testing is added, 85% 
of defects are eliminated. There is no reported study, bin 
the litcratiu-e w^ould suggest that inspections coupled with 
fmictional verification wouirl eljminaie more than 90% of 
defects.^* Remarkably enough, testing seems to eliminate 
most (\irtually ab) of the remajning defects. Tlie literature 
typically re]:)oits that no further defects are foiiixd after tlie 
original test cycle is complete and that none are fouiKl in the 
fiekL''^ This w^as also our experience. 

There is apparently a synergism betw^een functionaJ verifica- 
tion and testing. Fimctiontil vGrification eliminates defects 
that are difficult to detect with testing. Tlie defects that are 
left after ai^plication of inspections and functional %'eriiication 
are generally those that are easy to test for. The result is that 
> 99% of all defects are eliminated via the combination of 

■ This f aclDT IS based on a defect def^sttv of SO defects pef KfJCSS for the worst p^odutis and 
0.016 defects per KNCSS Jnr ihe best products. The fsctof diffarBnca bstween these twa 
sxiremes is 60/D.D16 = 375Q m -4CK3Q. 



inspections, fiu)ctional verification, miti testing, Tal>le 1] sunv 
marizes the percentage of defect renin Viil with Ibe api>licat ion 
of individual or ronibinalions of different defect detect itni 
strat^egies. 



Table 11 

Defect Removal Percentages 

Based on Defect Detection Strategies 


Detection Strategy 


% Defect Removal 


Testing 


50% 


Inspections 


60% 


Inspections + Testing 


85% 


Inspections + Fimelional Verification 


90% 


Inspections + P\mc!:iona] Verification 
+ Testmg 


>99% 



Our Experience 

We applied cleanroom to three projects, although only one 
of them acttjally made tr to tlie ntfirkei place. The project 
that made it to JTiarket had cleanroom applied all the way 
through its life cycle. The other projects were caticeled for 
nontechnical reasons, but cleain-oom was appUed as long as 
they existed. The completed project, w hich craisisteci of a 
relatively small amount of code (3.5 KN('SS), was released 
as part of a large Microsoft - Windows system. The project 
team for this effort consisted of five software engineers. 

All the techniques described in this paper except structured 
data and statistical testing were applied to the projects. All 
tlie products were Microsoft Wintlows ap|)hcations wrilteu 
bi C or C++. Structurefi data w^as not afldresse^l because w^e 
never came across a serious need for random airays or 
pointers. Although statistical testing w^as not appbed, it was 
our intent eventually to do so, but the total lack of defects 
demotivated us frotn pinsuing a complicated, analytical test- 
irig niotie particularly when our testing resources were in 
high detitand frotii the organiKation to help other portions of 
the system prepare for product release. 

Design Methodology. We apphed the rigorous object-oriented 
ttietbodology knoT^7i as box notation. ' Tliis is the metiiodol- 
ogy reconunended by the cleanroom originators. We found it 
lc> be satisfyingly rigorous and disciplined. 

Box notation is a nielhodolog>' I hat progresses from func- 
tioiml specification to detailed design tJu^ough a series of 
steps retiresented as boxes with varying transparency. Tlie 
first box is a black box signifying that all extenial aspects of 
the system or module are known but none of the mtenial 
implementation is known. This is the ultimate object- It is 
define* J by noting all the stimiih applied to the box by the 
user and the observable responses produced by these stiintili. 

Inevitably, these responses ^e a function not only of the 
stimulus, but tilso of the stimulus history For example, a 
UKmse click at locafion 100,200 on the screen will produce a 
response that depends upon the behavior of the wuidow 
that currentiy includes the location 100,200. The window at 
thai location is, in tuni, a fmictiort of all the jirevious mouse 
clicks and other inputs to llie system. 
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The black box is then conveited to a state box in which the 

stimulus history prcKlucing ihe resi>onses of the black box is 
captured in ihe fonti of .states Uial (he box passes through. 
The response produced by a given stin\ulus can be deter- 
mined not necessarily from the analysis of a potentially infi- 
nite stimulus histoi>; but more simply by noting the state the 
system is in and the response produced by that stimnlus 
within that stale. States are captured as values \i1Uuii a set 
of state data. The state box fiilly reveals this daEai It con- 
tains an interna] black box that takes as its input the stimu- 
lus and the current set of state data and produces the de- 
sired response and a new set of state data Tlie slate data is 
fully revealed but the internal black box still hides its own 
internal pn>t*essing. 

The state box is then converted to a clear box in which all 
processing is visible. However, this processing is repre- 
sented as a series of interacting black boxes in which the 
interact ions and the relations are clearly \isible buL once 
again J the black boxes hide their own internal processing. 
This clear box is the final implen^entation of the object. In 
this object., the encapsulated data and the methods to 
process it are clearly visible. 

Each of these internal black boxes is then treated similarly in 
a stepwise refinement process that ends only when all the 
inteniai black boxes can be expressed as single conunands 
of the destination language. 

This process allows many of the pitfaUs of object-oriented 
design and programming to be avoided by caieftiUy illumi- 
nating them at the proper time. For instance, the optimum 
data encapsulation level is more easily tietemiined because 
the designer is forced to consider it al a level where per- 
spective is the clearest.. Data encapsulation at too higli a 
level degi ades (nodularity and defeiiUs "object oriente<iness," 
but data encapsulation at too low a level produces redun- 
dancies and uMilliple coines of the same data with the asso- 
ciated pfjssibility of update error arui loss of integrity. These 
pitfalls are more easily avoidetl because the designer is 
forced to thmk about the question at exactly that point in 
the design when the view ol ihe system is optinuun IV>r such 
a consideration. 

Inspections. We f*mi>loyed a slightly at lap ted versitm of the 
IlP-recdnunenderl inspection inetiiod tauglit by Tom Gilb,'^ 
We found this method ver>' satisfactory. (Jur minimal ada]ita- 
rion WHS to allow slightly more discussion during the logging 
meeting than (rilb reconnnends. We felt that this was needed 
to acconmiodate functional verification. 

Functional Verification. No attempt was made to imijlement 
anjlhii\gbui the first level of functional verification — intel- 
lectual controL Tliis was found to be easily implemented, and 
w he n ! h e pri n t : ip I es w e r e adeq u at ely a r I h e re d i < j , was aJ rt i ost 
automatic* Insj>ectors who knew nothing about functional 
verification or intellectual control aittomatically accom- 
plished it when given matenal tliat conformed to its priii- 
ciplesand, muu.singly, Utey also automat it ^Uly cojnplaijied 
when shghi deviations from these principles m-curred. 

Stnictyred Specifications, The* project team called tleanrocinrs 
stmctiued spccificutinns process evo hi tionaiy^ rlelivi^r^' lic*- 
cause of its similarity to the evolutionary delivery methodol- 
ogy" mentioned earlier and because evolutionary cleHv(*r^' is 
nt<jre like* tiui' lU'environmeiU. Sti-ucturetl specifications 



were de\^eloped in a defense-industij' environment where 

dyTiamic specificatiDns are frowned upon and where adapt- 
aiiility is not a virtue, Ilow^ever, evolutionary dehvery as- 
sumes a dynamic environment and encourages adaptability 
Regardless of the differences, both pbjlosophies are simitar. 

At first, bcjth marketing and management were skeptical. 
They were nol reassured by the idea that a large amount of 
time would elapse before Ihe product would take shape be- 
cause of the large up-front design investment and becrause 
some feamnes would not Ik^ addn^setl at aU until ver>' late in 
the development cycle. They were told not to expect an earfy 
prototj'pe within the first few days that would demonstrate 
the m^jor features. 

Very quickly, these doubts were dispelled. Marketing was 
brought into the effort chjring the e^trly rigorotLs design 
stages to provide guidance and direction. Ttiey participaieci 
in the specitication stmcturing and set priorities and desired 
schedulers for tht" releases. Ttiey caught on to tite idea of 
getting the "juiciest parts" first iuid foimtl thai tliey were 
getting real code very quickly and could liave this real co(3e 
reiiewed by real users while there was still time to allow the 
users* feedback to infiuence design decisions. Tliey also 
became enthusiiistic about participating in the irkspeclions 
during the top-levei definitions. 

Management realized that the evolutionaiy stageti re lewises 
were coming regularly enough and quickly enough that they 
could predict very early in the development cycle which 
stage had a high possibility of being finished in time to hit 
the optinnnn release window. They coulil then ailj list scope 
and priority to ensure that the release date couid be reliably 
achieved. 

Morale, Tlie cleaiH-oom literature claims that cleanroom 
teams have a very high morale and satisfaction level This is 
attributed to tiie fact that tiiey have finally bc^en given the 
tools ne{ essar>' \<i achieve the kuitl of c[uality Jr>b that eveiy- 
one wants to (io. (Jur own experience was tluit I his octitrred 
surprisingly quickly, People witli remarkiibly disptu'ate, 
scarcely compatible personalities not only worked well 
together, they became enthusiastic about the process. 

It appears ttiat tin' followitig factors w^ere infiuenrial in 
producing high morale: 

* Ahnost daily inspt^ctions created an environment in W'hich 
each person on the team took turns being in the '^liot seat." 
People quickly developed an understanding that reasonable 
critic ism was both acceptal)le ajid beneficitd. The resulting 
frankness and opemiess were perceived by all to be remaik- 
ably refreshing and exhilarating. 

> Team members were sur(>rised that ihi^y were being allowed 
to do what they were doing. They were allowed to take the 
time necessary to do the kind of job they felt was proper. 

Productivity. Productivity was difficult ]t) mi^n^Mri' " >nly one 
proje<'t act uglily iitadf it to the market p}a<e. aji<l ii is diffi- 
(Hilt to divirh' lilt itisi nji lion count accurately among tJie 
engmeei*s iliai cuiKriljuted to it. However, the subjective 
jmpiession was thai it ceilainly didn't take any longeT'. When 
no divlects are tound one sudtlenly discovers thai Ihe job is 
fmi^ihed. Al firs! tins is (lisconcerting and iuUiilimactic, but 
it ali^o emphasizes tiie savings that can be realized at the end 
of the project, This crmipensates for th(* extra effoii at the 
begun ling of tjie pr<jject.. 
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Conclusion 

nie cleanroom team mentioned m this paper no longer exists 
Bs a single orgaiuzaliun. However, portions of clean room are 
still being practiced in certain organizations witliin HewleU- 
Packard. These portions espe<:ially inclnde structured 
specifications and intellectual control 

We believe our efforts can be duplicated in any software 
orgjuiization. There was nothing unique about our situation. 
We achieved reinarkable results with less th£ui total dogmatic 
dedication to the methodology. 

The product that made it to nutrkel w iis designed using func- 
tional decomposition. Even ttiough huK'tional decomposition 
is minimally rigorous and disciplined, we foimd the results 
completely satisfactory. The prcjject consisted of enhancing 
a 2-KNCSS module to 3,5 KNCSS. 

The original module was reverse engineered to generate the 
functional decomposition dortnnent that [became the basis 
for the design. The compieteti module was subjected to the 
intellectual control processes and the reviewers were never 
lold whicli code was liie original iiiid whicli was modified or 
new code. A lotal of'Ki tk^fecls were found during the in- 
spection process for a total of 10 defects per KNCBS. An 
addiliot^al live delwis were found the llrst week of testing 
(1,4 defects per KNCSS). No defects were encountered in 
the subsequent 10 months of full system integration testing 
and none have been found suice the system was reletiscd. 

It was interesting to note that the defects found during in- 
spections included items such as a design problem which 
woidd have, under r ar e conditions, mixed incompatible file 
versions in the same objectt a piece of data that if it had 
been accessed would have tjrotlucefl a rare, nonrepeatable 
crash, and a number of cases in which resources were not 
being released wiiich would, after a long period of tune, have 
caused the Windows system to halt. Most of these defects 
would have been vei^' difticult to find by testuig. 

Defects found during testing were primarily simple screen 
appeaiance problems which w^ere readily \Tsible and easily 
cliaracterized and eluuinated. Tliese results conform vvell to 
expected cleamoom results. About 9tFti of the defects were 
elinunated by inspections with functional verification* About 
WHi more were cliniiiiatetl via testing. No other defects were 
ever encountered in subsequent full-system integration test- 
ing or by customers ui the field. It vim be expected on the 
basis of oOier cleanroom results reported in the literature 



diat at least 9LM of atl defects in this module were etiminated 
in this way and thai the final product probably contains no 
more than OJ defect per KNCSS. 
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Fuzzy Family Setup Assignment and 
Machine Balancing 

Fuzzy logic is applied to the world of printed cincuit assembly manufacturing 
to aid in balancing machine toads to improve production rates. 

bj Jan Kmcky 



In disciplines such as engineering, cheiiiistiy, or physics, 
precise, logical mathematical models based on empirical 
data ai-e used to make predictions about behavior. However, 
some aspects of the real world are too imprecise or "fuzzy"" 
to lend themselves to modeling \^itii exact mathematical 
models. 

The tool we liave for representitig the inexact aspects of the 

real world is called fuzzy logic. With fuxzy logic, we can 
model the imprecise modes of reasoning Uiai play a role ui 
the hum ail ability to make decisions when the en\iromnent 
is uncertain and imprecise. This abihty depends on our apti- 
tude at infening an approximate answer to a quesdon from 
a store of knowledge that is inexact, incomplete, and some- 
times not completely reliable. For example, how do you 
know when you are '"sufficiently close" to but not too far 
away from a curb when paraUei parking a car? 

Iji recent years fuzzy logic has been used in many applica- 
tions ranging from simple household appliances to soplus- 
ticuted applications such as subway systen^. This article 
describes an experiment hi which fuzzy logic concepts are 
ajjplied in a printed cirf;uit assembly manufacturing environ- 
ment. Some background material on fuzzy logic is also 
(provided to helji iinder^taj\d the concepts applied here. 

The iUantifacturmg EnvirQiiment 

hi printed circuit asseniljly enviroiunentis, manufacturers 
using surface* mount technology are concenied wiih machine 
setup ajid placeiuent times. In low-producl-mix prudiiction 
enviroiunents ruimiifactiuers are primarily concerned wiUi 
placement time atKl to a lesser degree setup time. In medium- 
to-higii-prcKluct-niix prtKluclion environments niiinufactiirei-s 
are mainly concerned witlt setup time. 

One solution to the setup problem is to arrange the prinled 
circuit assemblies into groups or fmnilit^s so Niat tive assem- 
bly ma(*hines caJi use the same setup for different products. 
In other wortls, reduce or eliminale setups between differ- 
ent assembly tuns. The solution to minimizhig placement 
time is to Ijalaiice the component placement across the 
placement machines, 

HP's Colorado Computer Manufat^turing Operation (C'CMO) 
isamedinm-to-higlvproduct-mix printed circuit assembly 
niaimfacturinjT entity. The henri.stic, fusczy-logtc^jased algo- 
rithms ilescri bed in Mns jiap^'r help delermine how to nuni- 
mize setnp iinie by chislcriiigprirtted rirtnil asseiiibjies into 
familii's nf pjuducts that share llu' same seliip and by 



balancing a product's placement time between multiple 
lugh-speed placenient process steps. 

The Placement Machines 

Tiie heart of our surface mount tecimology manufacturing 
lines in temis of automated placement consists of two P\ui 
CP-in high-speed pick-and-place machines arranged in series 
and one Fi\ji fP-D general-purpose pick-and-place machine. 

A Fiyi CP-III placement machine supports two feeder banks 
each having 70 slots available for component feeders to be 
mounted on (see Fig. 1). The components arc picked from 
their feeders and placed on the printed circnit boiudv creat- 
ing a printed cucuit assembly. A component feeder might 
take one or two slots. The tapc-and-reel type leedert which 
is the one we use at CCMO^ is characterized by its \^idtii for 
slot allocation purposes. The standiird feeder tape widths 
ai'e 8 mm, 12 nmi, 16 mm, 24 ntm, ajid -12 nuiL Tlie 8-nmi 
feeder tapes consume one slot eac^h while the 12-mm to 
32-nun feeder tapes consume two slots. Additional feeder-to- 
feeder spacing constraints might increase the number of 
slots Iht^ feeders actttally reiiuire, A coniponent*s presenta- 
tion, package tyije> and style detennine tiie tape-and-reel 
width and therefore the feeder size, 

Split-Bank 

A feature of the Fiyi CT-ITl called splUfmnk addresses the 
problem of high setup costs by allowing one bank to be used 
for component placement while the other bank is being set 



Assembly 
tjne 



"/ 



Banks 



Component 
Feeders 



Components 
on T^pfi 




Slots 



Fig. 1. ^5impiihec! n-prr^Hin fiction i>f a tape-and-reel type placemeni 
itiiirhinp. 
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Fig. 2. The split bank featurr^ <ii the? PmJI CP-lII a-ssembly machine. 
The llrst feeder banks of each machine aro isspcl for f>fftine setup. 

up ofiOine. Fig. 2 illustrates this split-bank feature. In tl^is 
configuration the first feeder bank on each niarbine is usecJ 
to perform the offlim;^ setup, and the second bank is used for 
component placement 

Setup Hme versos Placement Time 

Our printed circuit a^sHcuibly products vary' quite a bit in 
their seUiji-slot requkcments. They range from eight slots on 
the low cud to 200 slots on the high end. For an average 
product requiring 45 slots it takes 45 online minutes to set 
up the feeders for placement. Tiie average placement time is 
2.5 minutes per board, la a low to-mcdium-vohmie printed 
circuit assembly shop such as CCMO, the average lot size is 
20 products. Therefore, for an average run of 20 products, 
47% of the time is spent on setup (leading the placement 
machine idle) and 53% of tiie tin^e is spent placing the con> 
ponents. Tills constituies an unacceptable machine use and 
hence a low output from the manutacturing shop. It's noi 
just the online setup time, but also the frequency of having 
to do these setups tJiat affect^s pro<lucTivity an<l fiuality, A 
fLxed setup for an entire run would seem to [)e a sohition to 
this problem. However, in a medium -to4iigh'P rod uct-tnix, 
low-volimie envirormient such as ours, fixed setups camiot 
be used. HP CCMO currently manufactiaes 120 products 
wif h 1300 imique components placeabie by the Fi\ji CP-III 
equipnienh 

Another quick solution to this online setup time problem 
would be to place a certain percentage of CP-III placeabie 
components at a different process step. For example, we 
could use tJie Fiyi IP-II for this pm-pose. This is not a feasi- 
ble solution because I he F"iyi IP-II lias a fjlacement speed 
that is four times slower than the CF-lIl. We use the Fi\ji 
IP-Il primarily for placing large components. 

Alternate Setup Methodology 

The setup time requirements mentioned above suggest that 
we needed an alternative setup methodology to minimize 
online setup time. The approaches we had available in- 
cluded expansion on the spht-bmik option described above, 
clustering the [printed eircuit a^ssembly products into fami- 
Ues witli identical setup wliile still allowing the split bimk 
setup feature to be fully used, and l)alanciug tlie l wo series 
CP-III placement loads as much as possible. Balancing im- 
plies that the components w^ould be distributed between the 
tw^o placement machines so thai both machines aie kept 
reasonably busy most of the time. 

Since most of our printed circuit assembly products are 
double-sided, meaning tliat components are placed on the 
top and bottom sides of the printed circuit board, indepen- 
dent balancing for each side of the printed circuit assembly 



was considered. However, family clustering as view^ed by 
the layout t>rocess dictated that a double-sided printed cir- 
cuit assembly should be* treated as a sum of the require- 
ments for boiii sides of the boaid. Thus, no machine setup 
change wx>uld be required w^hen switching from side A to 
side B of the same product. 

Why Families 

Miile clustering products into families is a viable aitd im 
attractive solution, other possible solutions such as partially 
fixed setups augmented by families or sctieduling optimiza- 
tion to minimize the setup changes in the build sequence, 
arc also worth consideration. 

One can imagine titat none of the solutions mentioned above 
will provide the optimal answer to every online setup-time 
Issue, but their reasonable cornbinatioii might. The follow- 
ing reasons guided us into clKJOsing family clustering as an 
initial step towards tnijumixing online setui> costs. 

• Intuitive (as opposed to algorithmic) family clustering on a 
small scale has been in place at our manufacturing facility 
for sonte time. 

• It appeiirs that families give reasonable flexibility in terms of 
the build schedule affecting the entire downstream jirocess. 

• Families can take advantage of the C'P-in's st^lit-bank feature, 

• By alteiing the time window of a particular family's assembly 
dmation (i.e., by sliifl, day, week, month, and so on), one can 
directly control a family's performance and effectiveness. 

We chose a heuristic api>roach to minimi^sing setup time 
because an exhaustive se^irch is 0(n!), where n is the num- 
ber of productij. Our facility currently manufactures 120 
products and expects to add 40 new ones in the near future, 
whicli would make an exhaustive search unreaMstic. 

Primary Family 

As explained above, we wanted to use the family clustering 
approach to take advantage of the CP-llI sj)lit4>arvk setvij) 
feature. One can quickly suggest a toggle scenario in which 
each feeder Ijank would alternate between the states of be- 
uig set up offluie and being used for placement. However, it 
would be difficult to synchronize the labor-intensive acti\i- 
ties of perpetual offline setups in a practical implementa- 
tion. Also, this option would require a siLfficient volume in 
the toggled families to ailow^ the completion of oflhne setups 
at the idle placement banks. Given tJiese reasons, a strict 
toggle approach would probably not have worked to ini- 
provethe overall setup lime in our einironnxent. Instead of 
toggling, we selected ar^ a[>proach in which certain feeder 
banks are jjennarienlly dedicated to a family, and the re- 
maining hanks toggle between offline setup and placement. 
This approach led to the primary family concept. 

A prinuu^^ family is one that will not be toggled and is there- 
fore always present on the macliine. Since the primaiy family 
is pemi^mently set U[) it logically follows that each noni^ri- 
mar>' fajuily inchides primary family components. The more 
primary family slots used by a bank containing a nonpriitiary 
family the better Tlie smumation of two series CP-IIl's banks 
provides four setup banks available on a line. We elected to 
dedicate the first bank of each CP-III to the p>rimary family, 
leaving us with two banks for nonprimary families (see 
Fig. 3). 
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Fig. 3, The setup for primaiy and nottprlmary Amities, 

Fig, 4 shows how the piiniary family concept can be used to 
schedule a group of products to be builL Let's assume that 
we have priniarv' family A aiid two rioi\primar\' fajinlies AB 
aitd AC. (Pioducts m families AB and At' i: on rain compo- 
nents that are also part of [jroducti? in family A/) First, any of 
family AB's products can he huiit. Mthough primarjf^ fanuly 
As products could be built using tlie same setup, it is higldy 
undesirable since it would waste the [>resence of family ABs 
setup. So, after all the demand from family AB's products 
have been satisfied, we can switch to products in primaiy 
family A while we set up offline for family AC. On the practi- 
cal side, it is umiecessary to set up the entire nonprimary 
famiiy unless all the family's products are actually going to 
be builL 

This example shows that the primary family concept is use- 
fiil only if it is incoiporated into the build schedule and the 
primary^ famil^^ must have sufficient product volume to allow 
the behavior depicted in Fig, 4, 

Balancing 

Family clustering results in a shared setup by a group of 
print^^i circuit assembly products wliich among other tilings 
might share the same components. Tlus creates the problem 
of ensuring that the assembly of all products is adequately 
baiajueti on the two series CPni placement machines. If 
the loacl is not balanced, an undesirable starv^ation hi the 
process pij>eline nught occiu'. Balancing Is arcoinfilisluHl by 
properly assigning the family's components betw<'en the two 
series CP-IIl machines. An intuitive guess suggest-s that Ihc^ 
success of family clustering might make the balancing ef- 
forts proportii>nally hauler. Although the onhne setup time 
reduction is the primary goal, it cannot justify a grossly im- 
balanced %vorklf>ad bt^iween two serial CP-IIIs. T!ierefc*re, 
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Fig, 4, An tlltiistralinit of htiw ihr^ primary family concept can be 
used Lo scht'duJe n ftrtmp of products for a^sen^bly, 



machine balancing is the kej^ that truly enables the family 
approach. 

Other Methods 

In additicjn to applying fuzzy set theory to soh^e our family 
assignmejit and balancing problem we also used two other 
approaches: the greedy board heuristic and an extension to 

the greedy t>oard licuristic. 

Gr&edy Board Approach. A research group at HPs strategic 

plaiuiing and modeling group in coryunction T^ith StanfonJ 
I 'niversity suggested the greedy board heuristic approach to 
minimize higli setup cost for semiautomated mantifactiiring 
operations, HPs Netw orked Computer Manufacturing Op- 
eration (NCMO ) implemented the greedy board approach at 
their site.* 

In the greedy-board heunslic a family is defined by the repeti- 
tive addition of prodticts, one at a time, until slot availability 
is exhatisted. The selection criterion is a function of the prod- 
uct's expected volume and its additional slot requirements. 
The greedy ratio is; 

where Sj is tiie mmtber of additional slots a product pi adds to 
Oie family, and Vj is tlic prodticrs volume. Since the objective 
is to muumize the number of slots added while maximizing 
tiie family s volume^ the product with the smallest greedy 
ratio wins arid is added to the family. New" slots aie obtained 
and the selection prore.ss, \ia the greedy ratio, is repeated 
until either there are no more slots available or no more 
iUoducLs are to be added. See the greedy board cxattiple on 
page 54. 

The greedy board implementation at NCMO performs bal- 
ancing by assigtiing roniponents to the machines by a sim- 
ple altemaiion uniil ronslrainLs iire met. The components 
are initially soried by their volume iLse. This a|>i)roach bal- 
ances the family overall, but it c^arries no guarantees for the 
prtjducts thai tiraw from the family. 

Extension to Greedy Board Heuristic, The greedy board heuristic 
tends to prefer smaikT, higli-vuhinie printed circuit assem- 
blies Lti its selection procedm e. At C'CMC) we extended tlie 
original greedy ratio to: 



Gi 



V. X a 



where ci is an average number of slots product pi shares 
with products not yet selected. Tlie CCMO extension slightiy 
curbs the volmue greediness at the ex|>et\se of including a 
simjjie measure €if commonality. Howe^ er. tlie resiilts 
showed the ('CMO extension to the gret^dy l>oiud heuristic 
tjerformed sbghUy better than the original algoritlim. The 
restilts 1mm the two greetly-board apt^roacbes and the fijzzy 
approach are given later in this paper. 

EJespite the relatively good results achieved by oiu" extension 
to the greedy board beurislic api>roach, we were still look- 
ing for an aKenialivt^ aiipniacb. This led us to explore using 
fuzzy set thcoo' lo 11 ml a soluticHi lo our placement maclune 
stH up problem. 
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The Greedy Board Fainily Assignment Heuristic 



As menTfoned m the main articfe, a family in our ma nufac luring envimnmem is a 
group of products (boards) ftiat can be built with a single setup on ttie component 
placement machines. The greedy board heuristic is one way of assigning products 
to families for printed circuit assembly, The only data re qui red for the greedv 
board algorithm is the list af components and the expected volume for each board. 
Each family is created by the repetitive addition of products, one at a time, until 
slot availabflity is exhausted. 

In the following example assume there are eight component slots available per 
family and that the following boards musi be assigned to families. 



Board 

Alpha 

:$^ 

Beta 
Lambda 

Gamma 



Expected Volume (v[) 

14D0 

132 
ZGB8 
1100 

660 
1332 

900 



Compcinents 

A/F,iC,M 

RD.aF.K 

G, F, T L 
H, D. F, K 

A, J, E, K 



The board with the lowest greedv ratio is the first one added to the current famrly 
being created. 



Board 

A^fli 
Tango 

Delia* 

mm 

Beta 

Lambda 
Gamma 



New Parts 

(^) 

4 
2 

4 



Expected Volume 
(v,l 

1400 

132 

2660 

1100 

esB 

1332 

9O0 



Greedy Ritio 
iGi = Si/Vi) 

0.0029 
0.0152 
0.0019 
0,0036 
Q.OOBO 
0.0030 
0.0O4O 



Delia IS the board with the Eo^ivest greedy ratio so ii becomes the first member of 
the family It has the highest product volume added per componenislat used 
Delta adds five components, leaving three slots to till this family. 

V\^th die components H, D. R, F, and K already tn the family, for the next board the 
ratios are computed as follows: 



Board 


New Parts 


Expected Volume 


Greedv Ratio 




{Si) 


(Vj} 


(Gi^Si/vj) 


Alpha 


■.^ 


MOO 


0.0014 


Tango 


1 


132 


0.0076 


Echo 


2 


1100 


oooie 


Beta 


3 


66fi 


0.0045 


Lambda 


;0: 


1332 


0.0000 


Gamma 


5 


900 


0.QD33 



The Lambda board is the one with the lowest greedy ratio because its components 
are a complete subset of the components already jn the farriily. Smce addmg 
Lambda to the family does not require the addition of any components to the 
family, the greedy ratios given above shil apply for the selection of the rtext board. 
The Alpha board has the next lowest ratio and ft adds two new components [A 
and M) to the family This brings the total number of components in the family to 
seven — one slot left. 

After adding the Alpha board to th6 family, the new part-to-volume ratios for the 

remaining unassigned boards become: 



Board 

Tango 

Echo 
Beta 

Gamma 



(Sil 

1 
2 
3 

3 



ed Volume 


Greedv ^^^^° 


{v,\ 


(Gj = Sj/VjJ 


132 


00076 


1DQ 


0.0018 


668 


0.0045 


900 


0.0033 



Now Echo has the lowest ratio. However, the Echo hoard has two components, 
and since we already have seven components, adding the Echo coinponents to the 
family would exceed our limit of eight components per family. Therefore, Tango is 
the only board that will fit even though it has the lowest theoretical coniribution. 
Adding the Tango board fills up the family allotment Finally, the components in 
the family mclude H. C. D, A. fl. R K, and M 

The next family is defined by following the above procedure for the remainrng 
boards Echo, Beta, and Gamma. 



Fuzzy Set Theory 

The following sections provide a brief overview of some of 
the basic concepts of fiizzy set theory appUcable to the top- 
ics discussed in this paper. For more about fuzzy set theory 
see reference 2. 

Fnzzy Sets 

L'nlike the classical yes and no, or crisp (nonfuzzy) sets, 
fuzzy sets allow more varying or partial degrees of membeT- 
sMp for tlieir tiidividiiaJ elements (see Fig. 5), Conceptually 
only a few^ natural phenoniena could be assigned a crisp 
membersliip value of either yes or no vrithout any doubt. On 
the other hand, most of the real- world's objects, events, lin- 
guistic expressions, or iuiy abstract quitLities w^e experience in 
our everyday life tend to be more suited for a fuzzier set 
membership. Fuzzy sets allow their elenients to belong to 
jTUiltiple sets regardless of the relationship among the sets. 

In spite of their tendency to seem imprecise, fuzzy sets are 
unambiguously defined along \^ith their associated opera- 
tions and properties. The fuzzy sets used in the fuzzy fanxily 
assigimient and macliuie balancing heuristic exist in uni- 
verses of discourse that are finite and coimtable. 



Def iFiitfon. To begin our discussion of fuzzy sets we define 
the universe of discotirse X = [X],X2...Xi) and let fiAC^i) ^^^~ 
note the degree of membership for fuzzy set A on universe X 
for element X|. Tlie degree of membership function for fuzzy 
set A is pa(x) G [tl,l]j where represents the weakest mem- 
bership in a set and 1 represents the strongest membership 
in a set. 



Fuzzy set A = 



^1 



ui^ll 



^vhere the horizontal bar is not a quotient but a delinuter. 

Examples, I'he following examples show different types of 

fuzzy sets. 

Number as a fuzzy set: 
1 =niverse U = |0, 1, 2, 3, 4, 5] 

Fuzzy set A = 0.2/0 + 0.7/1 + 0.8/2 + 0.2/3 + 0.1/4 f 0.0/5 
Fuzzy set A might be described linguistically as "just about 
2" because 0.81/2 has the highest degree of membership in 
fiizzy set A. 

Defining people ui terms of their preference for certain 

alcoholic beverages: 
Universe Y = |beer, wine, spirits) = (yj, ... ya) 
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Time 1 Hours} 



1800 



2400 
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Fig. 6. A fu^y set. represeniaUon of tJte terra lunch hour. 

Operations, Operatioiis such as unions intersection, and com- 
plement are definpti in terms of their membership functions. 
For fvLizy sets A and B on Universe X we have the following 
calculations: 
• Union: Maub{x) = [^aM ^ \^eW 
or Vxi : HAUB(Ki) = Max(nA(xi), m{^i}) 
(see Fig. 7a}. 



180.451 



(96.541 



speed 



m 



Fig. 5. f nypi riml fiizjjy representation (if tlie notion of average 
tlriving s|jeed. (a) In the fuzzy representation tlie memherKltip class 
average driving speed varies from i&ero for <45 nu/h or >65 mi/h to 
100% at 55 mi/lr. (h) In a crisp representation membership in the 
averinge driving speed Ht^t is I0n% in the nuige from 50 tn 60 mi/li 
only, 



Fuzzy set B = 



m 



.(yil 



Yi 



0. 1 /I jeer + 0.:Vwinc^ + 0.0/spirits 



miglit des(^ribe somebody who doesn't drink muc^h but 

prefers wine aixd dislikeH spiritJ^ 

Fuzzy set C = 0,8/f)eer + 0,2/wine + 0.1/spirits might 

describe a beer lover 

Fuzzy set D = 0.0/beer + 0.0/mne + 0.0/spirits might de- 

scrilie a person who doesn'l indulge in alcohohe beverages 

Fuzzy set E = 0.8/l>eer + 0.7/wine + 0.8/spirits might 

describe a heavy drinker 

Defining a person in terms of their cultural heritage- 
Universe Z - [Zirconia, (Jpaliriia, Topa^siaj and HF(^i) repre- 
sents a degree of cultural heritage from the three provinces 
in some unagin;iry gem-prodiK ing country. 
Fuzzy set F = 0.:3/Zirconi;m + 0.5/C )palinian + 0.1/Topazian 
miglit describe someone who was bom in Wesieni Opalhia, 
attended a university in Zirconia, m\i\ n^arried a Topazian 
lining in Diamond City, Zirconia. 

Luncb hour: 
ITniveme W = Day (continuous time of 24 hours) 
The fuzzy set L ( 1 100 lo l-JOO) might represent the term 
""hmrh hour" as shown in Fig. b. 
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Fig. 7» Knzzy set operation.^ 
(t ) tJntnnlement. 
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• Intersection: HatibW = P-aW A ^bW 
or Vxj : [iAnB{X]) = mn(fiA(xi), ^B(xt)) 
(see Bg. 7b). 

• Complement-. |jia(5c) = 1 - \^a(^) 
or Vxj : |iA{xi) = I - ^^(^1) 
(see Fig. 7c). 

Ail of the operatiOJia tlefmed above hold lor fuzzy or classical 
set theory. However, I he two formulas known as excluded 
middle laws do not ho)d for fuzzy sets, that is: 

AUA-X 
An A = 

for classical set theory, but 



AU A ^ 

An A ^ 



for fuzzy set theory. 

These laws, which take advantage of the eUhernir only 
membership for a classical setls elenienUi cannot hold for 
fuzzy set's because of theii' varying degree of sei rnernl>er~ 
ship. Fig, 8 proTrides a graphical comparison between these 
two formulas for classical and fuzzy set operations. 

Fuzz ill cation and Defuzzification 

Fiizzification and defuzzification are operations that trans- 
late back and forth betvi'een fuzzy and crisp representations 
of information, measures, or events. Since most of our envi- 
ronment is more naturaEy representetl in a fuKzy form rather 
that! a crisp form, the need for a fuzziiHraiion step could be 
perceived as being a rare event. On tJie other hai^d^ a defuz- 
zification procedure is needed more often, as in the case in 
which a fuzzy set htis to be expressed as a single crisp num- 
ber. There are several defuzzification methods. One of the 
most commonly used and computationally tri\ial is the Max 
method. The Max method simply chooses an element with 
the largest membership vaJne to be the single crisp repre- 
sentation of the fuzzy set. For example, for the fuzzy set C 
given above the Max defuzzification rnethoti would yield 
0.8/beer (Le^^ fuzzy set C describes a beer lover), 

Ftizxy Relations 

The concept of relations between fuzzy sets is fairly analo- 
gous to the idea of mapping in classical set theory in which 
the elements or subsets of one universe of discourse are 
mapped to elements or sets in anotiier imiverse of discourse. 
For example, il' A is a fuzzy set on universe X and B is a fuzzy 
set on universe Y then lJ>e fuzisy relation R = A ® B maps 
universe X to universe Y (i.e,, R is a relation on mii verse X x 
Y). The symbol denotes a composition operation which 
computes the strength of the relation between the two sets. 
Please note that in general A(g)B ^ BigiAand furthermore 
A ?^ R @ B. 

Special Properties. The following aie some of the special 
properties of fuzzy relations. 

• A fuzzy set is also a fuzzy relation. For example, if A is a 
fiizzy set on universe X and there exists 1 = 1/y as an itlentity 
ftisMsy set on Universe Y = {y), then fuzzy relation H ^ A ® I 

= A. 

• Tiie same operations and properties vaUd for fuzzy sets also 
hold for fuzzy relations. 



AUA=X 



T 




AUArt* 



/\/\ 



1- 



c 
1 



AriA=0 



1 



•- \ A r- 



AA 



f- AriAs^r 



•See Fig, 7c for A 

Fig, 8, A corupari&oii of the excluded middle laws for (a) classical 
sets and {b} fuzKy sets. 

* Fuzzy logic impUeation of the form P ^^ Q can be also repre- 
sented by a fuzzy relation suice T(P ^* Q) = T(F V Q) where 
T is the tnnh evaluation function. For example, if A is a 
fuzzy set on universe X and B is a fuzzy set on uiii verse Y 
then a proposition P -* Q describing tF ATHEN B, is etiuiva- 
lent tt> the fuzay relation R = (A g? B) U (A (g) Y). Fig. 9 
shows a grai>ihcal representation of diis relationship. 

Fuzzy Composition 

Fuzzy composition operatiotvs compute the strength of the 
relation between two fuzzy relations. To shovv the most poj)- 
idar composition operatoi^s, consider dial we have fuzzy sels 
X, Y, and Z and that R is a fuzzy relation on universe X x Y 
and dial S is a fuzzy relation on universe Y x Z. To find the 
fuzzy relation T = R ® S on universe X x Z we use one of the 
following composition operations: 



Max-Min; ttTftij) = 



Max 



^IM 



Vk: 



^]vij 



«ij ^ Y (1) 



Min||iR(rk4),p,s(s 
Max-Product: ujftij] = 

Max Prod(nR(rk,L),fis(sj,k))vk :^ fJviJ : i s a J s y (2) 
Sum-Product: ^rftij) = 



l[p™d 



(iiR(rk,i),(iy(sj.k))vk:£ p 



Vi,j: 



u,J 



m 



y( 8 



1 




' 


1 - '^ 

1 AuB 


■ ^ ^'AUB,/.'/ 


^ AuB 




1 



-A®BijA®Y 



Fig. 9. A grapliical depletion of the fuzzj^ logic in\p!ication R ^ 

(A ® B) U (A ® Y). 
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where: 



Applving Max-Bdin yidds: 



a, p, Y ^^ the number of elements (c^'dinality) in the 

fuzzy sets X, Y, and Z 
L}. k are subscripts for matrix representadoos for 

the fuzz>^ relations. 

The Max-Min composiUon operator selei'ts the maximum 
membership value from all the minmial values of ever>^ cor- 
responding membership pair. For example* the Max-Min 
value from the membership pairs [(0.4,fl6), (0.2,0.5)1 is 0.4 
The MEix-Prod composition operator replaces the Min func- 
tion in the Max-Min operator with the Prod function* which 
performs algebraic muJtiplication for every membership pair. 
The Max-Prod ^"alue for our example above is 0.24. Finally, 
the Sunt'Piiid operator is derived from the Max-Prod opera- 
tor by replacing the Max function v^ith the Sum function, 
which adds together the results of the Prod operations on 
eacii nieinbcrship pair. .A.pj>lying the Sum-Prod operator to 
Ihe example abo^e gives the value 0.31. The are many other 
cont[K)sition operators a%'ailable, some of which are designed 
for specific^ applicaiions. 

Deriving Fuzzy Relations. The most difficult part about devel- 

opiiYg an application using fuzzy relations is obtaining the 

relations themselves. Some of the methods used to derive 

fuzzy relations include: 

Intuit ive knowledge^ human experience, and opinions of 

experts 

Ciilculation methods for membership ftmctions 

FM?:Ay compositions 

Converted frequencies and probabtlilies. 

Example. Tlie following example ilhistrates how to derive a 
fuzzy relationship. Consider the fuzzy sets and mil verses 
described earlier: 

Universe Y = (beer, wine, spirits} 

Universe Z = [Zirconian, Opalinian, Topazian] 

We will assume for tliis exatnple tliat the relation R on uni- 
verse Y xYjIb based an the opinions of exijert.s who know a 
lot about the drinking habitn of tlie inhaljitant.s of the 
provinces contained in universe Z. 



R = 



(16 0.3 0.1 
0.4 0.8 0.3 
0.2 OJ 0.7 



Althougii the relation R is derived from intuitive knowledge 
and experience, w^e could have tisetl one of the other meth- 
ods to derive it based on some jjaHid information. Remem- 
ber llial a fuzzy relation captures the paJrwLst^ strength of the 
relation between elements of both imi verses, wliicli in this 
case consists of beer, wine, and spirits in rows and Zircoiuaiit 
fJpalinian, ^mrl Topaziim in columns. Fur example, ihere is a 
sirong {0.8} possibility of an ( >palinian being a wine lover 
according to relation R. 

Now let's lake a betT lover flescribed by the fuzzy set 

C = O.S/beer + 0,2/wine + OT/spirits 
and perfonn Max-Min composition on tlte relatjon 

H = (^® R 



|jL|i(Ztrcoman) = 
MaxKMin(0.8A6).Min(0J,a4).Min(ai A2)l ^ 0.6 

|i|l(OpaliiiianJ = 
Maxl(Min(0.8,0.:3),Min(OJ.O.8),Mjii(0J.0J)l ^ 0.3 

fie(Topazian) = 

Max[(Min(0.8,0.1XMin(0/2,0,3),Min(0.1,OTH = 0,2 

Therefore, the resulting fuzzy set H = 0.6/Zirconian + 

O.:y0palmian + 0*2/rr:)paziaii might suggest tliat a l>eer lover 
is of predominantly Zirconian heritage ^Itli sU^t Linkages 
to Opalinian infiuences and very sMght Topazian influences 
based on the experts' opinion represented in relation R. 

Fuzzy Family Assignment Heuristic 

Tlie goal of our fuzzy family as.signnient heuristic Ls to fmd 
pro<lucts witli similar comimnenLs and group diem into fami- 
ties. In (jur family assigimient heuristic there are t\^'o nested 
iteration loops: mi outer loop for each family being created 
and an inner loop for selecting the ''besl-suited" product to 
assign to the family. The inner loop is terminated when there 
are no more products to be considered- Tlie outer loop is 
terminated either when there are no more famiiies or when 
no more products are being assigned to a psirticular fimiily. 
The following is a pseudo-code representation of our 
algorithm. 

1. Family = Primary' /* Initialization family variable */ 

2. REPEAT /^ Start outer loop */ 

3. Qualify = PC A /* Products to be assigned to a fimiily .*/ 

4. WIULE Qualify <> Empty /* Start inner loop. I^oop */ 

/-* until tiiere are no more prochtet- */ 

5. Find Product from Qualify with the tiighest seleciivity 
measure (Si) 

6. IF { a qualiflc^i Product is select ed A N I) t he sloi s 

required Ijy the selected Prodtict ^ slot availability 
of Family 

7. THEN 

B. Assign Product to Family and update slot 

availability of Fajnily 

9, Remove Pnidurr from PC A 

10, END IF 

11. Remove Ih'oduct from Qualify 

12. END WHILE 

13. Family ^ get_a„new_family(Pamily) 

14, UNTIL f PCA does not change OR no more Fantiiies) 

Product jiroduct being considereil for inclu-sion 

in a faniily 

get_a_new_family retiuns next available family's name and 
slot availability 

slot availability counter for the nmi i be r o f p laceme n t 

machine slots available to a fjunily (This 
number is dt^crcased by the mnul)cr of 
slots r-e(tiiired by each product assigned 
to the family.) 

PCA list of products to be considered for 

fmnily assigmneni (Tliis list is uinlated 
each time a produ<*l is assigjied to a 
faniily ) 
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Qualify 



same as PC' A pxcep! that this variable is 
used to delermijie when to terminate tlie 
iimer loop and is updated at each 
iteration. 



Slots: 



At the end of this algorithm there still might be products 
that cannot l>e ajijsigned to any faniliy because of slot avEiil- 
ability^ or there might be faniihes with no products assigned. 

We used the concepts of fiiy.isy sets, fuzzy relations^ and 
fuzzy composition to determine which prmiucts to select aiid 
assign to each family. The variables used in our algorit hm 
mclude a fuzzy set pj which represents the printed circuit 
assembly j) rod acts, a selectivity measure Sj, which is a value 
that uidirales hnw t'ach product pj miglil Ot into a particular 
family, and finally^ the fuzzy relation r, wtiich is used to 
capture the relation between selectivity Sj and product pj. 

Since the volmiie, commonality (common parts), and addi- 
tional slots are the three independent qualifiers that describe 
a product, they were used to define the product universe P = 
[ commonality, slote, volume]. Thus, a product 

P[ = mli/conunonality + m2i/volmue + mB/slots (4) 

is a fiizzy set on universe P w^here mli, m2ji and m3i iu:e the 
membership values on the interval <f),l> for product p^. 

We implemented the following computational methods to 
obtain the membership values for universe R 

• General conunonahty. General conunonahty between product 
P[ and p^ IK defined as: 



comni(pi,p2j = ncs(pj,p2)/tns(pi) 



(5) 



where ncs is the number of slots common to pi and p^, and 
tns is tjie total number of slots required by pj. It could be 
deduced that in general: 

comm(pi,P2) ^ comm(p2,Pi.) miJesstns{j;>i) = tnstPi^). 
ConmionaJity during primary family selection: 



mlj 



2 comm 

N 



(Pj.Pi) 



for product pi. 



m 



N is the number of products not yet assigned to a family, 
• Commonahty during nonpriniary family selection: 



mlj 



y comm 
j-i 

N - 1 



(Pi.Pj) 



for product Pi. 



(7) 



N is the same as abpye. 
Volume: 



m2i = 



demand[pi) 
Max( demand! PjI) 



for product pj 



(8) 



where demand(pi) is the expected volume demand for 
product Pi and N is the same as above. 



mai = 1 



slotsfpi 



slots_availablet 



for product pj 



(9) 



where slotsfpi) is the number of additional slots required for 
produc-t Pi if it is selected, and s]ots_available, is the number 
of slots available for a particular fajuily during iteration t of 
the assignment algoritlun. 

Selectivity and Fuzzy Relation 

Suice the selecti%dty measure s is defined on the luii verse S 
= (selectivity!, th*^ selectivity for product pj Is defined as a 
fijzzy set on univeise S: 



Si = m/selectivityH 



CIO) 



Fuzzy relation r on univeise R = I^ x S is used to capture llie 
relatioti between product selectivity and the product itself 
Wlien we trarLslate the general notion of a fvizzy relation into 
the reality of our problem, we entl up with a 3 x 1 matrix 
representation of tJie relation, llie column symbohzes the 
cardinality of universe S and the three rows relate to the 
product [jnivcrse P (i.e., commonality, volume, and slots). 
Since different selection criteria [uight be desired at ditTer- 
ent stages of the selection process, we found a need for at 
least two distinct relations. Thus, l>ased on our experience 
we selected the following two categories that might require 
separate fuzzy relations r. 

First product cissigne<l to a primary or nonprirnaiy family 
Nonfust product assigned to a primmy or nonprituiuy family. 

Tlie hardest part about using fuzs^y relations is obtaining t heir 
membership values. We wanted I he rnembersliip values de- 
rived for the relation r to ex|>iess the iiuportimce assigned to 
each of the three elements in universe P (i.e., commonality^ 
volume, and slots) duruig the process of selecting products 
to add to a paiticular family. l-"or example the relation: 



n 



0,7 
0.4 
0.2 



(conmionalily) 

(volume) 

(slots) 



says thai for product pi during an iteration of the assignment 
algoritiim, conunonality is to be given greater emphasis in 
family assignment than volume or slots membership values. 

One can use one of many fu2izy composition operators to 
ronstni<*t the relation, or one can Irnuitively guess the fuzzy 
relation r basetl on some empirical experience or expertise. 
In our prototypical implementation, we selected the second 
approach. 

Initially, w^e experimented w ith the empirically derived 
graph showm in Fig. 10 to come up with the membership 
values for the two categories of fuzzy relations mentioned 
above» Note in Fig. 10 that the fuzzy relationship \-iUues for 
conmionality, volume, and slots are dependent on the slots 
membership value. For example, a slots membership value 
of 0.5 would provide the rehition matrix: 



0.8 

0.2 

0.0 
L J 
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QJ 0^ U a.4 OS 0.& OJ 
Slots Membership Value 



OJ Oi tir 



Fig. 10. Fuzzy rebtion iiierabership valut'S for tmr exjM^mnenrijl 
functional approach to family assignment 

Tliis approach turned out to be too complex and cumber- 
some because of our lack of cxjjerience \\ith creating mem- 
bership relations. Consequently, at the end we settled for a 
constant d el ermi nation of a relation's individual values to 
get us startedH Tills approach resulted in Ihe rollowing two 
fuzzy relatioas in our protot^^^ical Itnplementalion: 

First product assigned to a primary or nonprimaiy family 



0.550 
0J5O 
O.:300 



for product Pi (I < i < N) 



♦ Nonfii-st product assignetl to a printar>' or nonpriinary family 



ri =. 0.200 
I 0.250 J 



for product p[ (1 < i < N) 



where N is the number of products not yet assigned. 

11 Ls inipfjnani to iintk-e thai in geru^ra! no n^sinclinnsjirT 
unposirMJ on fumy nu'mhtvrsl tip values, but since we used the 
Sum-l^xKjurt fuzzy if)ruj)ositjon operator then the sumtnation 
of the elements in each relationship matrix must be ^ L 

Example 

The fuzzy composition for our family assignment problem is 
g^ = Ti ® p|. Although we investigated a number of ftizzy 
composition operalors, we had tht^ most success with the 
Simi-Producl contposition operator 

The lollowij^ example illustrates the actions performed by 
the assignment algorithm to select a product to assign to a 
particular fitmily, 

» Assume there are three products p|, p2, and p;i and that we 
are selecting the first product to be assigned to a primary or 
nonprimary hmiily. 

• ncs (number of con uu on slots) for pairs of pj. pj for i < 3 J 
< 3 is: 



20 


10 


12' 


10 


rto 


21 


12 


21 


40 



• slots_available = 45 

• demmtd (pi) = 85, additional slot'^(pi) = 20 



From equation 4: 

pi = mil/commonality^ + m2iA^olume + m3|/slot 

where: 

by equation 5: conmi(pj, p-j) - 10/20 - 0*5 and 
comm(pj, p;j) = 12/20 = 0-0. 

From equations 7, 8, and 0: 

0.0 + 0,5 



nili - 



= Liy2 - 0.55 



m2i = 85/Max(85, 100, 60) - 0.^ 
m3i = 1-20/45-0.56, 

Finally, 

Pi = 0.5S/commonality -f 0.85/volume + O.S&'^slot 

> deniand(p2) = 100, additional slots(p2) = 30, and 

P2 = 0.51/commonahiy + LOO/volume + 0.3^3/slot 

demand(p3) = 60, additional slots(p;j) ^z 40, and 

P3 = 0.41/commonality + O.GO/voknne + 0.11 /slot. 



• Since ri_2 3 = 



0.550 
0J50 
0.300 



using equation 3, the Sum-Product 



operator, the fuzzy composition Sj = rj ^ pj for this example 
is: 

si = ri ® pi = 0.55 X 0j35 + 0.150 x 0.85 + 0,300 x 0.56 
= 0.598 

s.^ = r3 @ p3 = 0.348. 

* Finally, since Max(si, S2j S'i) = S], product pi has tiie higliest 
selectivity measure and is therefore assigned to the family 
being formed ditring this iteration. 

Fuzzy Machine Balaiteiitg 

After the ftisszy family assignment algoritjun assigits tlie 
product^s to Uieir corresj)on<ling familie.s, the fuzzy machine 
balmtcer tries to assign each family s coniponents to the 
placenvenl niarhine.s. The primary' DbjtHtive is t(j have each 
side of the assembled printed t- ire nil assembly tise Ihe two 
series CP-IILs as equally as possible. 

C Otis train tij 

A.side from the inherent constraints introduced by families, 
maimfacturing n?ality brings a few special cases of already 
predetermined mat^hine iissignments and constraint's, 

Physicat Process Canstrairtts. Since the objective is to have as 
much setup slot i f>o[n as jjoasthle. eeriaJn physical process 
related limitations ixnue. For exiunijle, conslraint^ on tbe veiy 
last slot, available on tbe btmk do jkjI cillow a two^lot-wide 
feeder to be motmted on the last slot. If we have one slot 
still available cm each machine and we have to place a i^wty 
slot -wide feeder, we nved Uy move a one-slot -wide fettle r 
from otie mad line to make rocjm for the twoslot-wide 
feeder. Finally, a componetrt whose package is higher than 
3 J mm musl be placed by the second machine since the 
component height might interfere with the [>lacing nozzle on 
a densely populated printed circuit asseml>ly. 



Jiiiip mn tk'wIetlrPackard Jtjumal 59 



)Copr. 1949-1998 Hewlett-Packard Co. 



Primarv Famifv Products. If the primed rireuit asf^embly mem- 
bers in (}ie primary iiuiiUy cnuUl hebalaiiced wilhout consid- 
eration for tile remaining ])rJni.ed circuit assenihlie.s that ase 
a portion of ihe primary faniily, l)alanring txmk] ]jroi?ably be 
achieved at die expen^^e of l\w remaining products' imlial- 
ance, Tlius, it Is cniciai that balancing for jminary family 
products take into coruiicioration the remaining products. 

Nonprimarv Family Produt^ts, In the case of nonprimary family 
produci.s, r he problem is just the opposite of the problem 
encounteretl for primtuy faniily products. For nonprimary 
family products baltuicing has to incorporate tJit^ c<jmponejU 
assignments already committed by ihe primary family 
ba htnc ing \i race d u re . 

Placement Time Estimation, The tnie placement lime for a 
printed circuit tisscmbly is a function of the placement se- 
quence, which includes the placement table movement, the 
l>lacing bead rotation speed, and the feeder l>ank movement. 
The only information we have avidlable is d^e placing head 
rotation sf)ecd and even that is an apijroxiniation. The maxi- 
mum allowable speed for the placuig head rotation is deter- 
mined from a componenrs polarity, presentation, jiackage 
type, si55e, and pickup no/zle size. Furthermore, the placing 
head lia^s 12 two-nozxle stations Ihat ai'e ail influenced by 
the heati's, speed selection. We approximated the placement 
speed by obtaining the speeti of the head rotation. 

PfoduGts with Inherent Imbalance. In certain cases only the 
duplication of a cornjjonent's availabilhy among die CP-ni 
placement machines would lead to good bakuice. For exaan- 
ple, il is j)ossible thai a printed circuit assembly's side re- 
quiies a placement-inlensive component ihdi greatly ex- 
ceeds the total placement of the remaining components. 
Oidy an availabihty of that component in both of the CP-Ill 
setups would provide a shot at a reasonable balance. In our 
initial implementation we didn't use this approach. 

Algorithm Outline 

Just as in our family assigrunent approach we used the con- 
c:epts of fuzzy sets, relationships, and fuzzy composition to 
balance the series CP4II loads for each printed circuit as- 
sembly side being assembled. The following is a high-level 
procedural otitline of our babuKitig algorithm. 

1. Define component fuiszy set Cj for 1 < i < N 

2. Sort ali Ci in decreasing order 

3. hiitiall^e fuzzy relation r 

4. FOR 1 < i < N 

5 . IF Ci h its no pr ed etern \ in ed match i ng ass i gn ment ni^ 

6. THEN 

7. mi = r ® Cj 

8. nij DefuzziQcation ^> Jtia for Cj 

9. END IF 

10. /\ssign component Cj to machine ttia 

IL I p date the relation r; r ^ reLupdatefCj, nij^) 

12. END FOR 

13. Ensure that all luachuie constrauits aie satisfied. 

Cj is the ith component represented by the fuisxy set c 
N is the number of components to be assigned 
nil is the mactiine fuzz>^ set o!;>iauied for component 

tUa is an actual machine a to which the component c^ 
has been assigned 



r describes ttie relation between Ci and mj 
® is the fuzzy operator. 

N 

Nonfu/zy sorting of fusizy sets is based on V Wjj where Wjj 

i=l 
is a value described for all fuzjey components c^ (described 
below), i is dip ifh component, tmd j is the jth product 

Fuzzy Component c 

A fuzzy set Cj representing a physical con^ponent Cj is defined 
on universe? = (pi,P2. .Pq( where pi, P2,...pq represent 
products. Thus, fuzzy set 



t'i = (Wi^/pi, Wt,2/P2, ■■■ Wij/Pq) 

where: 



(11) 



w^i = Wij/nonn(Ci) (12) 

Wjj = w_place{Ci) x (ity_per(Ci,p|) x no ^, images (pj J 

xlogio(demajid(j)j)) ^ (13) 

w^place is a placement time weight facicu^ 

for physical component Cj 
qtyjper is the number of times a component 

Cj is placed on product pj 
no_iniages is the number of times iiroducl p, 
apj/eiu^ on a single maiuifacturing 
liKI tu'e (panel) 
demand is the expected volume demand for 
product Pi 

nomi[Ci) = Max(Wy) [14) 

Q is the cardinality of urxlverse R 

Machine Fuzzy Set m 

The machine fuzxy set m is defined on the universe M = 
(CP3.1,C P3.2]. Conseciuently, die fuzzy set tUj is defined as a 
fuzzy set on universe M as: 



nil = Wj,i/CP3.1 + Wj 2/CP3.2 

and it is obtained by r, ® Cj, where ® is the Tu'/My 
composition operator of clioice. 



{15) 



Fnzzy Relation r 

Fuzzy^ relation r on universe R = P x M is used to capture the 
relation betw^een t he physical component C represented by 
fuzzy set c and machine fuzzy set m. We devekjped the fol- 
lowing general equation to obtain membership values for die 
relation n 

^k.ii = ^ - assigned_cuTTentk^n^as,signed_cxpected|^„(16) 
where: 

< k < Q shice Q is liie cardinality of 

universe i* 

1 < n < 2 since mii verse M has two 

elements CP3J and CP3.2 
assigned_currentkji i^ ^1^^ cuixcnt assigmnent for the 

kth product and the nth physical 

machine 
iissigned^expectedk^n is the expected assignment for 

the klb pi o duct and the nth 

physical machine. 
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If assigited_cuiTent|( n > assigned_Fxpected|c^ then %(, = 
{t^ should be in the <0,1> interv-aJ ). 

We considered two possible ways to obtain values for 
assigned^cuirentk.n ^^^ assigned_expe€tedj£j|. In the first 
approach, we only considered the component placement 
fime without any additional consideration for slot space 
limitations. In the second approach, w^e tried to incorporate 
some of the knowTi slot cons( minis. The failo^ving *Hiiiatif)as 
show the two approaches for obtainitig the values for 
assigned_cinTent|cn ^^ti assigned_e3q}ectedic „" 
• Piacement time only. 

assigned_expecledk,ii = 



j=NArjeA 



1 



i^iM] 



+ ac 



k.ii 



>^ Pl>k.n 



(17) 



z = S ACeMachn 



assigned_cmTentit^„ = 



1 

J=l 



(Wjk) + ack.„ (18) 



where: 

PPk.n 
Machn 



is the placement time sum for components 

conmiitted to the nth machine for the ktli 

product 

is the percentile portion of the kth product 

preferred to be consumed at the nth 

physical machine 

is a crisp set of dl physical components C 

assigned lo the nth i>hysical machine 



A = U Machj, 



(19) 



Wj j( see tlie definititm of the fiiKzy cnnTponent c 

given above* 
N is the number of components lo be assigned. 

• Placement time with slot constraints considered. 
assigned_e3q]€cted|( t^ = 



j = ^!At^^A 



I (Wj,lc X Sj) 



X avail, I + actiji 



^- PPkji 



assigned_currenlk n = 



^ (Wj^ X Sj) I X takeun + acj,,, 



I 



where: 

PPk,ti 
Machi, 



W 



ik 



Sj 



is the plareinetit time sium for romprmeots 

comnitlled to the nlh machine for the* kth 

prothirt 

is the percentile portion of the kth product 

preferred to be consumed at the nth 

physical ruachine 

is a cri.sj) set of ill I pl\ysicaj components C 

iLssigni'd Ki the ruh [)hysic;t] machiiu^ 

see the (jclitiitioit of rlie fiii^zy ((Hnpoiieru c 

given above 

is tht* niimljcr of slots component Cj 

consumes 



availf, is the number of slots available for the nth 

machine 
takenn is the number of slots already taken at 

the nth macliine 

n-2 

A = U ^^3Chi, is a crisp set containing components 
n= 1 already assigned to some machine. 

Note rh^ the acjc ^ identifier used in both approaches in- 
cludes the predetermined components already assigned to 
a machine. Tlius, the fuzzy inat-hine balaticer does not ac- 
tively consider p redetermined components for balancing, it 
sirnply incorpomtes their passive balancing impact into the 
balancing prm-ess. 

l^e second approach is very complex and elaborate and tries 
to control a lot of independent measures simultaneously. 
Thus we selected the first approach for our prototype be- 
cause we achieved nittch better overall balance with tliis ap- 
proac h even though we have to ensure that slot eonstrait^ts 
are satisfied in an independent poslbalancing step. 

The fiizzy relation r has to be updated every time a compo- 
nent C is assigned to the nth physical macliine. Tliis proce- 
dure ensures that the current component assignment is going 
to be reflected by the fuzzy relation r. This update is done 
fairly quickly by recalculating the assigned_currentkji value 
for the I otTesponding machine n and product [>k (0 < k < 
Q). It is obvious tliat the update of assigned_eurrentk.n 
changes the appropriate rjc „ and hence the fuxzy relation r. 

Fuzzy Composition 

.-y thtjugli the MiiX'Min and Sum-Prod composition operators 
were invest igated, the Max- Prod fuzzy composition operator 
perfonued best for our balancinj^ algorithm, mnl we used the 
Max defuzKification api)roacti to select a comijoneni to assign 
to a particular machine. 

The follo\nng example illusfrates our machine balaticitig 
algorithm, hi tlus example we are trying to assign component 
cjoj and we have three product*;? p|, p^, and pKi to assemble. 
Components Ci to cji have tilready been assigned to one of 
two iJlaccmcul machines CP3.1 and CVS.2 

To simplify our calculations assimie that aci^ ^i is for all k 
imd all n meaning there are no predetermined com[)onents 
oti ioiy of thi» |)roducts in tjuestion. 

From equation 1 1 : 

t'lo = W]iri/pi + w;n^:j/p2 + W|o;i/p:j 
and fron» equal io!i 12 

wioj ^ Wioj/norm(Ciol 

Ifwe assume that Wi^m^^ji) = C112J2, 150.0, 0.0) then using 
equations 12 and 14: 

witu- 112.72/150.0-0.75 
^ui^^ 150,0/150.0- l.O 
wifti ^ 0,0. 

Tlujs, 

cjo = 0.75/pi + LO/p'2 + 0.0/pri. 

Assutne that after computing e<|uations 17 and 18 we get the 
following values for each placement machine: 
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3ssign_exp€cted = 



m^ 



SLSsign_ciirren1 



CP3J CP3.2 

2000.0 2000.0 
459.0 459.0 



127a0 498.0 

17S2.0 1500,0 

150.0 450.0 



Pi 
P2 
Pm 



The assign_expected matrix has the same values in both 
columns because we want to balance the load equally be- 
tween I he two placement machines for products pj, p?, and 
p3. Assign_current shows the component balance between 
tjie two niaehhies for components cj through cci at the 
current iteration of \lw balancing algorithm. 

lising equation 16 



0.26 0.72 
0.11 0.21 
0,67 0.02 



Referring Ui steps 0, 7, 8, aj\fi 9 m oxtr nuichine balancing? 
algorithm, the follomng items are computed, 

• Step 6. From equation 14, m^ = rt ® Ci using the Max_Prod 
fuzzy composition operator in equation 2: 



rio ® eio ^ Max-^ 



0.75 LO O.O] 



^..1^ 



0.26 0. 
0,11 (X2I 
0.67 0.02 



= Max[( 



0.19 OJl OmOM 0.21 0.01 



Thus, 

mio = 0.n)/CP3J + 0.54/CP3/2 

• Steps T and 8. Defuzzification =^ m.^ for c\ is obtained by 
applying the Max defuxzification method to mi^^. Thus, 
Max(miy) ^* mi> = CFlI2 meaning tliat component cjo is 



tS-r 




12 T 



assigned to machine CF3.2 since it has the maximal 
membership value (0.54). 

' Step 9- Update tlie relation n 

r - reLypdate(Ci, mj and updating 



assign_cuiTent 



1273.0 601.72 

1782.0 1710.0 

150/J 450.0 



at] 



10 



makes 



r = 



0.26 0.64 
O.U 0.15 
0.67 0.02 



for the next iteration. 

Results 

For this experiment we used two manufacturing production 
lines at our site. The first one is denoted as line 1 and the 
second one as line 2. Ttie total line volume is equivalent be- 
tween the two Unes. The statistics on the two lines inchide: 
' Line I: 27 products, 13 double-sided, 4 l;J imitjue components, 
and on average a component appears on 3<05 products- 
Line 2: 34 pniductSt 1 1 <louble-sided, 540 luiique components, 
and on average a component appears on 4,69 products. 

Pig. 1 1 shows the setup families created for the printed 
cu*cuil assembly products assigned to hues 1 and 2. 

Family Assignment 

Fig. 12 show^s the percentage of component placement vol- 
ume versus the cumulative contribution for each of the family 
assignment techniques described m this paper. 

line 1. Tlie result.s for this line were indeed phenomenal. 
The primary and A famihes together constitute 95% of com- 
ponent placement volume for the line. This results in no 



Primary 



m 



BCD 
Setup Families 

I Fuzzy Family Assignment 




Primary 



(b^ 



EfC CCMO Greedy Seward 



E) E 

N€MO Greedy Board 



Fig. Jl. The setup lajiiilies creaLed and ihe number of printed circuit assembly products contained in each lainily based on the type of 
family assignment aigorithm used, (a) Line L (b) Line Z. 
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Fig^ 13. A cumulative representation of the family assi^njuents for line 1 arid line 2 versus component placement volmne. (a) Line 
(b) line 2. 



need for setup changeover for 95% of the volume for one 
month. The 2B% reduction of the number of families is a side 
effect of the fuzi^y family assigimient optimization. 

line 2. The m^or achievement of l.he fus^y family assign- 
ment technique for line 2 was not just the moderate volume 



iniprovements over the greedy board and CCMO greedy 
board, but its ability to produce the same solution we ob- 
lained w^hen we manually forced certain products into a 
primary family usmg the greedy Ijoard method. When we 
first investigated greetly board capahiUties, we allowed 
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Fig. 14, Machine imbalance for liiie 2. 

hand-picked products to be force<l i!itt> a family, regardless 
of their greedy ratio. The forced products were carefully 
identified based on our oituitiQn and expertise. 

Machine Balancing 

Figs. 13 and 14 show the percentage ini balance for individ- 
ual printed circuit assemblies luanufaclured on lines 1 and 2 
respectively. The line 1 average inibalajtce was 12.75% for 
the fuzzy machine balancing approach and 3*^,9% for the 
balance obtained by the greedy boaid approacli. The line 2 
re.suits are 10.73% for the fuzzy machine balajicing api)roa( h 
and 29.58%i for 1 be greedy board approach. The famihes are 
tlie same ones providetl by the fuzzy family assi,giunent 
method. 
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